TA428

TA428 is a Chinese state-linked or China-nexus cyberespionage threat actor. Reported aliases in the provided content include Colourful Panda, BRONZE DUDLEY, and Vicious Panda; some reporting also discusses possible ties or overlap with clusters such as Worok, LuckyMouse/APT27/Emissary Panda, and Space Pirates, but those relationships are presented as overlaps or possible connections rather than firm identity. TA428 has been associated with espionage operations targeting government, foreign affairs, military-industrial, public-sector, and related organizations across East and Southeast Asia and Russia, including Mongolia, Vietnam, ASEAN government entities, and Russian government institutions. The actor has been linked to Operation LagTime IT, in which spear-phishing emails delivered malicious RTF documents exploiting Microsoft Equation Editor vulnerabilities including CVE-2018-0798 against East Asian government agencies. In that activity, TA428 used Cotx RAT and Poison Ivy, and post-compromise behavior included lateral movement with EternalBlue. Kaspersky-linked reporting in the provided content also associates TA428 with campaigns against military-industrial and public institutions in Belarus, Russia, Ukraine, and Afghanistan using spear-phishing documents exploiting CVE-2017-11882 to deploy PortDoor, followed by redundant backdoor deployment, credential theft, lateral movement, and domain compromise. Malware and tooling attributed to TA428 in the content include Tmanger, PhantomNet/SManager/DOWNTOWN, Cotx RAT, Poison Ivy, PortDoor, nccTrojan, Logtu, DNSep, and use of the Ladon framework. Tmanger is described as a modular RAT with SetUp, MloadDll, and Client components; it uses privilege-dependent persistence via Windows services or Run keys, RC4-encrypted C2 traffic, host reconnaissance, and commands for process execution, file operations, keylogging, and screen capture. PhantomNet/SManager is described as a modular backdoor capable of collecting victim information and installing malicious plugins; reporting in the content notes HTTPS C2, certificate pinning, service or scheduled-task persistence, and plugin support including a sample associated with credential theft and lateral movement. DOWNTOWN is described as aligned with PhantomNet/SManager and supports plugin-style file and system operations. The content also links TA428 to supply-chain or software-distribution abuse. ESET reported trojanized installers on the Vietnam Government Certification Authority website delivering PhantomNet/SManager. Separate reporting describes Operation StealthyTrident in Mongolia, where trojanized Able Desktop installers and a likely compromised update mechanism delivered HyperBro, Korplug, and later Tmanger; the Tmanger use in that campaign was specifically linked back to TA428 reporting. Observed TA428 tradecraft in the provided material includes spear phishing, exploitation of Equation Editor vulnerabilities, DLL side-loading, service-based and Run-key persistence, scheduled tasks, RC4- or AES-encrypted communications, proxy-aware C2, credential theft, reconnaissance, lateral movement using EternalBlue or Ladon, use of multiple backdoors for redundancy, and exfiltration of sensitive documents. The content consistently characterizes TA428 activity as espionage-oriented and aligned with Chinese state interests.