Home/ Threat Actors/ Naikon

🇨🇳Naikon

🇨🇳 Naikon is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 14 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0019) ↗

14Use cases

0Articles

14Techniques

0IOCs

About this actor (MITRE)

[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, [Naikon](https://attack.mitre.org/groups/G0019) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeas

Known aliases

Naikon

Top techniques

T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1036.004 · Masquerade Task or Service

All other tracked techniques

T1036.005 · Match Legitimate Resource Name or Location T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1053.005 · Scheduled Task T1078.002 · Domain Accounts T1137.006 · Add-ins T1204.002 · Malicious File T1518.001 · Security Software Discovery T1547.001 · Registry Run Keys / Startup Folder T1566.001 · Spearphishing Attachment T1574.001 · DLL

Detection use cases (14)

Naikon (PLA Unit 78020) Aria-body / RainyDay DLL search-order hijack via signed-binary side-load AI · profile SΣ Naikon WMIC reconnaissance burst followed by scheduled-task or WMI persistence within 30 min AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Abnormal Security: malicious email opened MITRE match Email attachment opened from external sender MITRE match Scheduled task created with suspicious image / encoded args MITRE match Advanced IP or Port Scanner Execution MITRE match Attacker Tools On Endpoint MITRE match Cisco IOS XE Reconnaissance Command Activity MITRE match Cisco IOS XE Remote Access Probe Burst MITRE match