Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ IndigoZebra

🌐IndigoZebra

🌐 IndigoZebra is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 7 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0136) ↗
14Use cases
0Articles
7Techniques
0IOCs

About this actor (MITRE)

[IndigoZebra](https://attack.mitre.org/groups/G0136) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)

Known aliases

IndigoZebra

Top techniques

T1105 · Ingress Tool TransferT1204.002 · Malicious FileT1566.001 · Spearphishing Attachment

All other tracked techniques

T1583.001 · DomainsT1583.006 · Web ServicesT1586.002 · Email AccountsT1588.002 · Tool

Detection use cases (14)

IndigoZebra (BoxCaon) — Dropbox API abused as C2 channel by non-browser process AI · profile SΣ IndigoZebra spearphish chain — compromised Central Asian gov mailbox → password-protected archive → child binary executed from %TEMP% AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host MITRE match Abnormal Security: malicious email opened MITRE match Click on URL whose host doesn't match the sender domain MITRE match