Home/ Threat Actors/ Suckfly

🇨🇳Suckfly

🇨🇳 Suckfly is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: Unknown. We map 13 detection use cases to this actor across 5 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0039) ↗

13Use cases

0Articles

5Techniques

0IOCs

About this actor (MITRE)

[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)

Known aliases

Suckfly

Top techniques

T1003 · OS Credential Dumping T1046 · Network Service Discovery T1059.003 · Windows Command Shell

All other tracked techniques

T1078 · Valid Accounts T1553.002 · Code Signing

Detection use cases (13)

Suckfly (G0039) chain — stolen-cert signed binary in user-writable path → net discovery + LSASS credential dumping AI · profile S 1Password impossible-travel sign-in MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Atlassian administrator impersonating user MITRE match Auth0 anomalous attack-protection event spike MITRE match AWS Console login without MFA + impossible travel MITRE match Credential-stuffing attack on application MITRE match GitLab password reset from suspicious IP MITRE match LSASS process access / dump (credential theft) MITRE match Advanced IP or Port Scanner Execution MITRE match Attacker Tools On Endpoint MITRE match