Home/ Threat Actors/ Ke3chang

🌐Ke3chang

🌐 Ke3chang is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 46 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0004) ↗

14Use cases

0Articles

46Techniques

0IOCs

About this actor (MITRE)

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)

Known aliases

Ke3changAPT15MirageVixen PandaGREFPlayful DragonRoyalAPTNICKELNylon Typhoon

Top techniques

T1003.001 · LSASS Memory T1003.002 · Security Account Manager T1003.003 · NTDS

All other tracked techniques

T1003.004 · LSA Secrets T1005 · Data from Local System T1007 · System Service Discovery T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1020 · Automated Exfiltration T1021.002 · SMB/Windows Admin Shares T1027 · Obfuscated Files or Information T1033 · System Owner/User Discovery T1036.002 · Right-to-Left Override T1036.005 · Match Legitimate Resource Name or Location T1041 · Exfiltration Over C2 Channel T1049 · System Network Connections Discovery T1056.001 · Keylogging T1057 · Process Discovery T1059 · Command and Scripting Interpreter T1059.003 · Windows Command Shell T1069.002 · Domain Groups T1071.001 · Web Protocols T1071.004 · DNS T1078 · Valid Accounts T1078.004 · Cloud Accounts T1082 · System Information Discovery T1083 · File and Directory Discovery T1087.001 · Local Account T1087.002 · Domain Account T1105 · Ingress Tool Transfer T1114.002 · Remote Email Collection T1119 · Automated Collection T1133 · External Remote Services T1140 · Deobfuscate/Decode Files or Information T1190 · Exploit Public-Facing Application T1213.002 · Sharepoint T1543.003 · Windows Service T1547.001 · Registry Run Keys / Startup Folder T1558.001 · Golden Ticket T1560 · Archive Collected Data T1560.001 · Archive via Utility T1569.002 · Service Execution T1583.005 · Botnet T1587.001 · Malware T1588.002 · Tool T1614.001 · System Language Discovery

Detection use cases (14)

Ke3chang / NICKEL RoyalDNS implant — periodic DNS TXT-record C2 beaconing AI · profile S Ke3chang / NICKEL diplomatic-target post-exploit recon command burst AI · profile S 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match