Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Elderwood

🌐Elderwood

🌐 Elderwood is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 9 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0066) ↗
14Use cases
0Articles
9Techniques
0IOCs

About this actor (MITRE)

[Elderwood](https://attack.mitre.org/groups/G0066) is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)

Known aliases

ElderwoodElderwood GangBeijing GroupSneaky Panda

Top techniques

T1027.002 · Software PackingT1027.013 · Encrypted/Encoded FileT1105 · Ingress Tool Transfer

All other tracked techniques

T1189 · Drive-by CompromiseT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing Link

Detection use cases (14)

Elderwood / Beijing Group watering-hole 0-day: browser spawns LOLBin and drops PE within 2 minutes (Operation Aurora pattern) AI · profile S Elderwood spearphishing → Office macro → encoded/packed payload staging (T1566 + T1204.002 + T1027.013) AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host MITRE match