Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ APT5

🌐APT5

🌐 APT5 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 29 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1023) ↗
14Use cases
0Articles
29Techniques
0IOCs

About this actor (MITRE)

[APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [APT5](https://attack.mitre.org/groups/G1023) has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.(Citation: NSA APT5 Citrix Threat Hunting December 2022)(Citation: Microsoft East Asia Threats September 2023)(Citation: Mandiant Pulse Secure Zer

Known aliases

APT5Mulberry TyphoonMANGANESEBRONZE FLEETWOODKeyhole PandaUNC2630

Top techniques

T1003.001 · LSASS MemoryT1003.002 · Security Account ManagerT1021.001 · Remote Desktop Protocol

All other tracked techniques

T1021.004 · SSHT1036.005 · Match Legitimate Resource Name or LocationT1049 · System Network Connections DiscoveryT1053.003 · CronT1055 · Process InjectionT1056.001 · KeyloggingT1057 · Process DiscoveryT1059.001 · PowerShellT1059.003 · Windows Command ShellT1070 · Indicator RemovalT1070.003 · Clear Command HistoryT1070.004 · File DeletionT1070.006 · TimestompT1074.001 · Local Data StagingT1078.002 · Domain AccountsT1078.004 · Cloud AccountsT1083 · File and Directory DiscoveryT1098.007 · Additional Local or Domain GroupsT1136.001 · Local AccountT1190 · Exploit Public-Facing ApplicationT1505.003 · Web ShellT1554 · Compromise Host Software BinaryT1560.001 · Archive via UtilityT1583.005 · BotnetT1654 · Log EnumerationT1685 · Disable or Modify Tools

Detection use cases (14)

APT5 (Mulberry Typhoon / UNC2630) LSASS credential dump via rundll32 + comsvcs.dll MiniDump AI · profile SΣ APT5 staging and RAR-archiving collected data in non-user paths (PerfLogs / ProgramData / Public) AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Web-Server Process Post-Exploit Anchor: Plugin/Extension RCE Leading to Shell Spawn or Webroot Script Drop MITRE match Abnormal Security: login from new location MITRE match Auth0 impossible-travel sign-in MITRE match