Home/ Threat Actors/ Threat Group-3390

🇨🇳Threat Group-3390

🇨🇳 Threat Group-3390 is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 57 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0027) ↗

14Use cases

0Articles

57Techniques

0IOCs

About this actor (MITRE)

[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)

Known aliases

Threat Group-3390Earth SmilodonTG-3390Emissary PandaBRONZE UNIONAPT27Iron TigerLuckyMouseLinen Typhoon

Top techniques

T1003.001 · LSASS Memory T1003.002 · Security Account Manager T1003.004 · LSA Secrets

All other tracked techniques

T1005 · Data from Local System T1012 · Query Registry T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1021.006 · Windows Remote Management T1027.002 · Software Packing T1027.013 · Encrypted/Encoded File T1027.015 · Compression T1030 · Data Transfer Size Limits T1033 · System Owner/User Discovery T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1049 · System Network Connections Discovery T1053.002 · At T1055.012 · Process Hollowing T1056.001 · Keylogging T1059.001 · PowerShell T1059.003 · Windows Command Shell T1068 · Exploitation for Privilege Escalation T1070.004 · File Deletion T1070.005 · Network Share Connection Removal T1071.001 · Web Protocols T1074.001 · Local Data Staging T1074.002 · Remote Data Staging T1078 · Valid Accounts T1087.001 · Local Account T1105 · Ingress Tool Transfer T1112 · Modify Registry T1119 · Automated Collection T1133 · External Remote Services T1140 · Deobfuscate/Decode Files or Information T1189 · Drive-by Compromise T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain T1199 · Trusted Relationship T1203 · Exploitation for Client Execution T1204.002 · Malicious File T1210 · Exploitation of Remote Services T1505.003 · Web Shell T1543.003 · Windows Service T1547.001 · Registry Run Keys / Startup Folder T1548.002 · Bypass User Account Control T1555.005 · Password Managers T1560.002 · Archive via Library T1566.001 · Spearphishing Attachment T1567.002 · Exfiltration to Cloud Storage T1574.001 · DLL T1583.001 · Domains T1588.002 · Tool T1588.003 · Code Signing Certificates T1608.001 · Upload Malware T1608.002 · Upload Tool T1608.004 · Drive-by Target T1685.001 · Disable or Modify Windows Event Log

Detection use cases (14)

TG-3390 / Emissary Panda DLL side-loading via signed third-party binary dropping HyperBro/PlugX AI · profile SΣ TG-3390 China Chopper / ASPXSpy webshell — IIS/Exchange w3wp.exe spawning recon & credential-access binaries AI · profile SΣ 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match