
Also Known As
APT27 | Group 35 | ZipToken | HippoTeam | Iron Tiger APT | Bronze Union | Lucky Mouse | TG-3390 | TEMP.Hippo
Origin
China
Target Countries
Saudi Arabia | Qatar | India | Kazakhstan | Spain | United Kingdom | United States
Targeted Verticals
Government | Military
Healthcare
Telecommunications
Retail | Commercial
MITRE TTPs
Abuse Elevation Control Mechanism: Bypass User Account Control
Account Discovery: Local Account
Application Layer Protocol: Web Protocols
Archive Collected Data: Archive via Library
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Create or Modify System Process: Windows Service
Data Staged: Local Data Staging
Data Staged: Remote Data Staging
Deobfuscate/Decode Files or Information
Exploitation for Client Execution
Exploitation for Privilege Escalation
Exploitation of Remote Services
Hijack Execution Flow: DLL Search Order Hijacking
Hijack Execution Flow: DLL Side-Loading
Impair Defenses: Disable Windows Event Logging
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Network Share Connection Removal
Obfuscated Files or Information
OS Credential Dumping: LSA Secrets
OS Credential Dumping: LSASS Memory
OS Credential Dumping: Security Account Manager
Process Injection: Process Hollowing
Remote Services: Windows Remote Management
Scheduled Task/Job: At (Windows)
Server Software Component: Web Shell
System Network Configuration Discovery