Sciextor

APT 15

APT 15 is a cyber espionage group that has been attributed to China.

APT 15 is a cyber espionage group that has been attributed to China.

The group has targeted various organizations and sectors, such as government, defense, aerospace, energy, and mining.

APT 15, also known as Ke3chang, Mirage, Vixen Panda, GREF, and Playful Dragon

History

• APT 15 was involved in Operation Aurora, a coordinated cyber attack against Google and other companies in 2009. The group used a zero-day exploit for Internet Explorer to compromise the victims’ systems and steal intellectual property
• APT 15 was also behind Operation Ke3chang, a campaign that targeted diplomatic missions and ministries of foreign affairs in Europe, Asia, and the US in 2013. The group used spear-phishing emails with malicious attachments to deliver a custom backdoor named BS2005
• APT 15 conducted Operation Mirage, a series of attacks against oil and gas companies in Asia in 2012. The group used a malware family named Mirage that could perform keylogging, file stealing, and remote shell access
• APT 15 developed and used RoyalCli and RoyalDNS, two sophisticated malware tools that were discovered in 2017. RoyalCli is a backdoor that uses a custom protocol over TCP port 443 to communicate with a C2 server. RoyalDNS is a DNS tunneling tool that can exfiltrate data and execute commands via DNS requests and responses