Home/ Threat Actors/ Cinnamon Tempest

🌐Cinnamon Tempest

🌐 Cinnamon Tempest is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 19 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1021) ↗

14Use cases

0Articles

19Techniques

0IOCs

About this actor (MITRE)

[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, [Cinn

Known aliases

Cinnamon TempestDEV-0401Emperor DragonflyBRONZE STARLIGHT

Top techniques

T1021.002 · SMB/Windows Admin Shares T1047 · Windows Management Instrumentation T1059.001 · PowerShell

All other tracked techniques

T1059.003 · Windows Command Shell T1059.006 · Python T1078 · Valid Accounts T1078.002 · Domain Accounts T1080 · Taint Shared Content T1090 · Proxy T1105 · Ingress Tool Transfer T1140 · Deobfuscate/Decode Files or Information T1190 · Exploit Public-Facing Application T1484.001 · Group Policy Modification T1543.003 · Windows Service T1567.002 · Exfiltration to Cloud Storage T1572 · Protocol Tunneling T1574.001 · DLL T1588.002 · Tool T1657 · Financial Theft

Detection use cases (14)

Cinnamon Tempest (BRONZE STARLIGHT) DLL side-loading of Cobalt Strike via signed binary in user-writable path AI · profile S Cinnamon Tempest GPO-driven ransomware fan-out (SYSVOL StartupScript write + multi-host shadow copy deletion) AI · profile S 1Password impossible-travel sign-in MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package-manager install hook spawns interpreter that beacons to non-registry host within 120s MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match