Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Chimera

🌐Chimera

🌐 Chimera is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 59 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0114) ↗
14Use cases
0Articles
59Techniques
0IOCs

About this actor (MITRE)

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Known aliases

Chimera

Top techniques

T1003.003 · NTDST1007 · System Service DiscoveryT1012 · Query Registry

All other tracked techniques

T1016 · System Network Configuration DiscoveryT1018 · Remote System DiscoveryT1021.001 · Remote Desktop ProtocolT1021.002 · SMB/Windows Admin SharesT1021.006 · Windows Remote ManagementT1027.010 · Command ObfuscationT1033 · System Owner/User DiscoveryT1036.005 · Match Legitimate Resource Name or LocationT1039 · Data from Network Shared DriveT1041 · Exfiltration Over C2 ChannelT1046 · Network Service DiscoveryT1047 · Windows Management InstrumentationT1049 · System Network Connections DiscoveryT1053.005 · Scheduled TaskT1057 · Process DiscoveryT1059.001 · PowerShellT1059.003 · Windows Command ShellT1069.001 · Local GroupsT1070.004 · File DeletionT1070.006 · TimestompT1071.001 · Web ProtocolsT1071.004 · DNST1074.001 · Local Data StagingT1074.002 · Remote Data StagingT1078 · Valid AccountsT1078.002 · Domain AccountsT1083 · File and Directory DiscoveryT1087.001 · Local AccountT1087.002 · Domain AccountT1105 · Ingress Tool TransferT1106 · Native APIT1110.003 · Password SprayingT1110.004 · Credential StuffingT1111 · Multi-Factor Authentication InterceptionT1114.001 · Local Email CollectionT1114.002 · Remote Email CollectionT1119 · Automated CollectionT1124 · System Time DiscoveryT1133 · External Remote ServicesT1135 · Network Share DiscoveryT1201 · Password Policy DiscoveryT1213.002 · SharepointT1217 · Browser Information DiscoveryT1482 · Domain Trust DiscoveryT1550.002 · Pass the HashT1556.001 · Domain Controller AuthenticationT1560.001 · Archive via UtilityT1567.002 · Exfiltration to Cloud StorageT1569.002 · Service ExecutionT1570 · Lateral Tool TransferT1572 · Protocol TunnelingT1574.001 · DLLT1588.002 · ToolT1589.001 · CredentialsT1680 · Local Storage DiscoveryT1685.005 · Clear Windows Event Logs

Detection use cases (14)

Chimera 'Skeleton Key' DC authentication patching via Mimikatz on domain controllers (Operation Skeleton Key) AI · profile SΣ Chimera staged exfiltration — 7-Zip multipart archive on a DC/file share followed by cloud-storage egress AI · profile S 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match