China10 malware familiesExploits CVEs in the wild

APT3

Also known asAPT3BORONBrocade TyphoonBuckeyeCYBRANGOTHIC PANDAOLDCARPPirpiRed SylvanTG-0110Threat Group-0110UPSUPS Team

APT3 is a China-nexus threat actor tracked under aliases including Pirpi, Buckeye, Gothic Panda, UPS Team, TG-0110/Threat Group-0110, Boron, Brocade Typhoon, Cybron, OldCarp, Red Sylvan, and UPS. The provided content associates APT3 with exploitation, persistence, execution, collection, and discovery activity. Reported behaviors include creating new Windows services for persistence; placing scripts in the Startup folder for persistence; using PowerShell, including -WindowStyle Hidden, to download and run payloads after exploitation; using cmd.exe /C whoami to verify SYSTEM-level privileges; executing commands on remote computers; establishing SOCKS5 connections for initial C2; listing running processes; obtaining local system information; identifying Microsoft Office documents; searching the local file system for files and directories; locating credentials in files on disk, including Firefox and Chrome-related files; gathering network configuration information such as MAC address, IP address, WINS, DHCP server, and gateway; staging files in a single location for exfiltration; and exfiltrating data over the C2 channel. The content also states that APT3 has used tools to dump passwords from browsers and that one tool dumped credentials by injecting into lsass.exe.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

53 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics84 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1608

Stage Capabilities

TA0001

Initial Access

4 techniques

T1078

Valid Accounts

T1190

Exploit Public-Facing Application

T1195

Supply Chain Compromise

T1566

Phishing

T1566.002

Spearphishing Link

TA0002

Execution

5 techniques

T1053

Scheduled Task/Job

T1053.005×4

Scheduled Task

T1059×2

Command and Scripting Interpreter

T1059.001×8

PowerShell

T1059.003×4

Windows Command Shell

T1059.005

Visual Basic

T1129×2

Shared Modules

T1203×4

Exploitation for Client Execution

T1574

Hijack Execution Flow

TA0003

Persistence

6 techniques

T1037

Boot or Logon Initialization Scripts

T1037.001

Logon Script (Windows)

T1053

Scheduled Task/Job

T1053.005×4

Scheduled Task

T1078

Valid Accounts

T1543

Create or Modify System Process

T1543.003×4

Windows Service

T1546

Event Triggered Execution

T1547

Boot or Logon Autostart Execution

T1547.001×3

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

9 techniques

T1037

Boot or Logon Initialization Scripts

T1037.001

Logon Script (Windows)

T1053

Scheduled Task/Job

T1053.005×4

Scheduled Task

T1055×2

Process Injection

T1068

Exploitation for Privilege Escalation

T1078

Valid Accounts

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

T1543

Create or Modify System Process

T1543.003×4

Windows Service

T1546

Event Triggered Execution

T1547

Boot or Logon Autostart Execution

T1547.001×3

Registry Run Keys / Startup Folder

TA0005

Stealth

7 techniques

T1027

Obfuscated Files or Information

T1027.002

Software Packing

T1055×2

Process Injection

T1070

Indicator Removal

T1070.004×6

File Deletion

T1078

Valid Accounts

T1218

System Binary Proxy Execution

T1218.011

Rundll32

T1564

Hide Artifacts

T1564.003

Hidden Window

T1574

Hijack Execution Flow

TA0112

Defense Impairment

1 technique

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

TA0006

Credential Access

4 techniques

T1003×3

OS Credential Dumping

T1003.001

LSASS Memory

T1187

Forced Authentication

T1555

Credentials from Password Stores

T1555.003×3

Credentials from Web Browsers

T1557

Adversary-in-the-Middle

T1557.001

Name Resolution Poisoning and SMB Relay

TA0007

Discovery

10 techniques

T1012

Query Registry

T1016×3

System Network Configuration Discovery

T1018

Remote System Discovery

T1033×3

System Owner/User Discovery

T1057×2

Process Discovery

T1069×2

Permission Groups Discovery

T1082×2

System Information Discovery

T1083×3

File and Directory Discovery

T1087

Account Discovery

T1518

Software Discovery

TA0008

Lateral Movement

2 techniques

T1021

Remote Services

T1021.001×2

Remote Desktop Protocol

T1021.002

SMB/Windows Admin Shares

T1210

Exploitation of Remote Services

TA0009

Collection

4 techniques

T1005×3

Data from Local System

T1074

Data Staged

T1557

Adversary-in-the-Middle

T1557.001

Name Resolution Poisoning and SMB Relay

T1560

Archive Collected Data

TA0011

Command and Control

3 techniques

T1090

Proxy

T1090.002

External Proxy

T1090.003

Multi-hop Proxy

T1105×2

Ingress Tool Transfer

T1219

Remote Access Tools

TA0010

Exfiltration

1 technique

T1041×2

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

10 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DoublePulsarSymantec reported that two of those advanced hacking tools were used against a host of targets starting in March 2016... an advanced persistent threat hacking group... somehow got access to a variant of the NSA-developed “DoublePulsar” backdoor and one of the Windows exploits the NSA used to remotely install it on targeted computers.2May 26, 2026

ImpacketThe following analytic detects the use of Impacket's wmiexec.py tool for lateral movement by identifying specific command-line parameters.2Mar 17, 2026

Cobalt StrikeDetects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike's popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.1May 6, 2026

EternalSynergySymantec discovered that as early as March 2016, the Chinese hackers were using tweaked versions of two N.S.A. tools, called Eternal Synergy and Double Pulsar, in their attacks.1May 26, 2026

NishangThe following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine utility, which initiates a callback to a remote Command and Control (C2) server.1Mar 17, 2026

5 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.

CVE-2014-1776Use-after-free RCE in Microsoft Internet Explorer 6 through 11In the wildEvidence2

APT3 has exploited... Internet Explorer vulnerability CVE-2014-1776.

CVE-2015-3113Heap-based Buffer Overflow in Adobe Flash PlayerIn the wildEvidence2

APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113...

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

IOCS

Observables

41 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

41 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Jun 14, 2026

Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

slideshareNews

May 21, 2026

Hunting for Credentials Dumping in Windows Environment | PDF

Uses credential dumping by injecting tooling into LSASS to extract credentials.

splunk researchNews

May 18, 2026

Detection: Windows Cloud Files Filter Loaded by Uncommon Process | Splunk Security Content

Listed as an associated threat actor for exploitation activity related to abuse of the Windows Cloud Files API / cldapi.dll detection.

splunk researchNews

May 12, 2026

Detection: Powershell Defender Threat Actions Set to Allow | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection.

+196 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping53

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal10

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs3

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables41

Domains, IPs, and hashes tied to this actor, refreshed continuously.