Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ BlackTech

🇨🇳BlackTech

🇨🇳 BlackTech is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 14 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0098) ↗
14Use cases
0Articles
14Techniques
0IOCs

About this actor (MITRE)

[BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://attack.mitre.org/groups/G0098) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)

Known aliases

BlackTechPalmerworm

Top techniques

T1021.004 · SSHT1036.002 · Right-to-Left OverrideT1046 · Network Service Discovery

All other tracked techniques

T1106 · Native APIT1190 · Exploit Public-Facing ApplicationT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1574.001 · DLLT1588.002 · ToolT1588.003 · Code Signing CertificatesT1588.004 · Digital Certificates

Detection use cases (14)

BlackTech (Palmerworm) DLL search-order hijack — signed third-party binary side-loading unsigned DLL from user-writable path AI · profile SΣ BlackTech SoftEther VPN tunnel staging on internal hosts AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Abnormal Security: malicious email opened MITRE match Authentication not detected on admin API endpoint MITRE match AWS S3 bucket ACL / policy made public MITRE match Click on URL whose host doesn't match the sender domain MITRE match Email attachment opened from external sender MITRE match