🇨🇳 CN17 malware families

APT17

Also known asaurora pandabronze universitybronze_exportdeputy doghidden lynxred typhoonta415tg-3279tg-8153

APT17 is a China-linked espionage threat actor active since at least 2009 and associated in the provided content with Operation Aurora. Reported aliases include APT17, ATG3, Aurora Panda, Blackfly, Bronze Export, Bronze University, DeputyDog / Deputy Dog, Hidden Lynx, Red Typhoon, TA415, Tailgater, TG-3279, and TG-8153, though the content also contains conflicting references that associate some of these names with other China-aligned clusters, particularly TA415/APT41. High-confidence details directly tied to APT17 in the content include use of BLACKCOFFEE malware, Microsoft TechNet profile pages as command-and-control infrastructure, and the DeputyDog designation. The content also states that Zeng Xiaoyong (envymask) was identified as a central figure in APT17, described as an MSS-linked group, and links APT17 to malware lineage involving ZoxPRC/ZoxPNG and BLACKCOFFEE. Additional reporting in the content notes overlap in malware, certificates, developer relationships, and social connections between APT17 and APT41, suggesting an interconnected Chinese cyber ecosystem rather than fully discrete groups, but those broader ecosystem claims are presented as analysis rather than definitive attribution. One cited report assesses BRONZE EXPORT, included among the aliases, with moderate confidence as based in the People’s Republic of China and focused on collecting video game source code from the entertainment and video game industries since at least 2009.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Financial Services
Materials
Banks
Capital Goods

Where they target

Geographies tied to known operations.

🇺🇸 United States
🇹🇼 Taiwan

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

48 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics75 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

3 techniques

T1583

Acquire Infrastructure

T1583.006×2

Web Services

T1585

Establish Accounts

T1587

Develop Capabilities

T1587.001

Malware

TA0001

Initial Access

3 techniques

T1078

Valid Accounts

T1190×2

Exploit Public-Facing Application

T1566

Phishing

T1566.001×5

Spearphishing Attachment

T1566.002×3

Spearphishing Link

TA0002

Execution

4 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.003×2

Windows Command Shell

T1059.006×3

Python

T1204

User Execution

T1204.002×5

Malicious File

T1574

Hijack Execution Flow

T1574.001×2

DLL

T1574.014

AppDomainManager

TA0003

Persistence

4 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1078

Valid Accounts

T1543

Create or Modify System Process

T1543.003×2

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

5 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1055×3

Process Injection

T1078

Valid Accounts

T1543

Create or Modify System Process

T1543.003×2

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0005

Stealth

9 techniques

T1027×5

Obfuscated Files or Information

T1027.007

Dynamic API Resolution

T1036×4

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1055×3

Process Injection

T1078

Valid Accounts

T1140×2

Deobfuscate/Decode Files or Information

T1218

System Binary Proxy Execution

T1218.005

Mshta

T1497

Virtualization/Sandbox Evasion

T1574

Hijack Execution Flow

T1574.001×2

DLL

T1574.014

AppDomainManager

T1620×2

Reflective Code Loading

TA0006

Credential Access

1 technique

T1649

Steal or Forge Authentication Certificates

TA0007

Discovery

4 techniques

T1033

System Owner/User Discovery

T1082×4

System Information Discovery

T1083×2

File and Directory Discovery

T1497

Virtualization/Sandbox Evasion

TA0008

Lateral Movement

2 techniques

T1021

Remote Services

T1021.004×3

SSH

T1210

Exploitation of Remote Services

TA0009

Collection

5 techniques

T1005

Data from Local System

T1074

Data Staged

T1113×3

Screen Capture

T1213

Data from Information Repositories

T1560×3

Archive Collected Data

TA0011

Command and Control

5 techniques

T1071

Application Layer Protocol

T1071.001×5

Web Protocols

T1071.002

File Transfer Protocols

T1071.004×2

DNS

T1102

Web Service

T1102.002

Bidirectional Communication

T1102.003

One-Way Communication

T1105×3

Ingress Tool Transfer

T1219×2

Remote Access Tools

T1573

Encrypted Channel

TA0010

Exfiltration

2 techniques

T1020

Automated Exfiltration

T1041×5

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

17 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Cobalt StrikeResearchers at Check Point said the group has been active since mid-2024... deploy Cobalt Strike beacons for remote access.5Mar 6, 2026

GearDoor"...Silver Dragon deployed GearDoor, a new backdoor which leverages Google Drive as its command-and-control (C2) channel..."4Mar 7, 2026

SSHcmd"...deployed two additional custom tools: SSHcmd, a command-line utility that functions as a wrapper for SSH to facilitate remote access..."4Mar 7, 2026

VoldemortProofpoint researchers identified an unusual campaign delivering malware that the threat actor named “Voldemort”. ... Voldemort is a custom backdoor written in C. It has capabilities for information gathering and to drop additional payloads.4Jun 14, 2026

BamboLoader"...a phishing campaign with a malicious LNK file as an attachment, a tactic linked to Silver Dragon based on the use of similar loaders, which the researchers collectively call 'BamboLoader.'"2Mar 4, 2026

12 additional families tracked in Mallory.

IOCS

Observables

75 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

75 IOCsView more in app

hash.sha256

28 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+20

uri

23 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+15

Domains

19 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+11

Email addresses

3 total

••••@•••••.••••••••@••••••.•••••••••@•••••••.•••

ip.v4

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

ctoatncsc substackNews

Mar 7, 2026

CTO at NCSC Summary: week ending March 8th

Referenced as the broader China-nexus umbrella under which Silver Dragon likely operates.

scworldNews

Mar 5, 2026

New China-linked cyberespionage campaign exploits Windows, Google Drive | brief | SC Media

Referenced as the broader umbrella under which Silver Dragon is believed to operate; associated here with China-linked cyberespionage activity targeting government/public sector.

govinfosecurityNews

Mar 5, 2026

Breach Roundup: Patches and Hacks on Cisco Equipment

Referenced as an established Chinese espionage ecosystem that Silver Dragon’s activity overlaps with; no direct APT41 operation details are provided beyond the linkage/overlap claim.

csis chinese espionageNews

Mar 5, 2026

Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS

China-linked espionage and financially motivated operations: collection from telecom, healthcare, semiconductor manufacturing, and machine learning organizations, plus virtual currency theft.

+186 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping48

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal17

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables75

Domains, IPs, and hashes tied to this actor, refreshed continuously.