Meet APT10: One of the most dangerous nation-backed threat groups
Silent. Precise. Lethal.
They don’t just breach systems. They infiltrate clouds, compromise supply chains, and vanish without a trace.
Meet APT10, one of the world’s most dangerous nation-backed threat groups.
Who is the APT10 threat group?
APT10, also known as menuPass, Stone Panda, POTASSIUM, CVNX, and others, is a sophisticated threat group widely attributed to the Chinese government. Active since at least 2006, their primary objective is espionage and intelligence gathering.
This group targets a broad spectrum of sectors:
- Healthcare
- Defense
- Aerospace
- Finance
- Maritime
- Biotechnology
- Energy
- Government sectors
…and others, leveraging their attacks to extract valuable information.
Their operations appear to be strategically focused on supporting Chinese interests, with a notable emphasis on targeting countries like Japan, for example, though not limited to them, as they have also targeted other regions to further their intelligence objectives.
Notable APT10 attack campaigns
- Targeting Indian vaccine manufacturers in 2021: Conducted espionage operations against Bharat Biotech and the Serum Institute of India during the global COVID-19 pandemic.
- Attacking the Taiwanese financial sector in 2021: Launched cyberattacks on multiple Taiwanese banks and financial institutions.
- The LODEINFO campaign in 2022: In the campaign named LODEINFO, the group deployed the LODEINFO malware in targeted attacks against Japanese organizations for espionage.
Tactics, Techniques & Procedures (TTPs) used by APT10
While you may not be directly targeted by APT10, the tactics, techniques, and some of the tools they employ are widely accessible and can be leveraged by threat actors globally.
The act of gathering intelligence and exfiltrating sensitive data is a risk that every organization and country should take seriously.
For initial access, the group used three main vectors:
- Using spear phishing to send malicious attachments.
- Accessing the victim’s network through a compromised MSP shared infrastructure.
- Exploiting public-facing web applications and deployment of webshells like China Chopper and JspSpy, for example.
The malicious attachments are usually one of the following:
- Masquerading
- EXEwith an obfuscated icon to look like a doc file
- Office file with a malicious Macro
- A zip containing a malicious
.lnkrunning a shell command
- Exploits enabling RCE, for example, CVE-2012-0158 or CVE-2017-0199 (allows office code execution).
- SFX (self-extracting archive) containing
- Legitimate binary (Executable)
- Malicious DLL used for sideloading (DLL)
- Encrypted configuration file (DATA)
What you’ll learn in this spotlight
Threats are real. Experience, not just knowledge, is your edge. Here’s what you’ll learn in this spotlight:
- Analyze real-world APT10 campaigns.
- Unpack their tactics, tools, and cloud attack vectors.
- Learn how to spot and stop them before they move.