Live Active security incident? Get immediate response
MITRE ATT&CK® Campaign

C0052: SPACEHOP Activity

SPACEHOP Activity is conducted through commercially leased Virtual Private Servers (VPS), otherwise known as provisioned Operational Relay Box (ORB) networks. The network leveraged for SPACEHOP Activity enabled China-nexus cyber threat actors – such as APT5 and Ke3chang – to perform network reconnaissance scanning and vulnerability exploitation. SPACEHOP Activity has historically targeted entities in North America, Europe, and the Middle East.[1]

EnterpriseC0052CampaignObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

SPACEHOP Activity matters because it describes operations routed through commercially leased VPS/ORB infrastructure to support reconnaissance scanning and exploitation of public-facing systems. For leaders, the key issue is not a single indicator list; it is whether the organization can see, prioritize, and respond to suspicious activity against exposed services when the apparent source is disposable cloud-hosted infrastructure.

Executive priority

Treat this as a test of external attack surface readiness. The ATT&CK context ties the campaign to VPS-based relay infrastructure, public-facing application exploitation, and multi-hop proxying, with attribution relationships to China-nexus groups Ke3chang and APT5. Executives should ask whether internet-facing assets are continuously inventoried, vulnerability remediation is prioritized for exposed services, and SOC/IR teams have enough perimeter telemetry to investigate activity that may only reveal the last-hop VPS rather than the true operator.

Technical view

SOC and IR teams should validate coverage around the related techniques: T1583.003 Virtual Private Server and T1588.002 Tool for resource development, T1190 Exploit Public-Facing Application for initial access, and T1090.003 Multi-hop Proxy for command and control. Because the campaign object has no official detection guidance and no specified platforms, detection should be built from local exposure and telemetry: inbound scanning patterns, exploit attempts against public services, traffic from hosting/VPS providers, and post-exploitation indicators on internet-facing systems. Analysts should avoid over-weighting IP reputation alone, since leased VPS and ORB-style infrastructure can change quickly and may only expose the last relay point.

Likely telemetry

  • Internet-facing asset inventory and exposure management records
  • Web server, application, API gateway, reverse proxy, and WAF logs
  • Firewall, IDS/IPS, NetFlow, DNS, and proxy logs for inbound and outbound connections
  • Logs from externally reachable network device, VPN, management, or remote access services where applicable
  • Vulnerability management and patch status for public-facing applications and services

Detection direction

  • Correlate inbound reconnaissance or exploit-like traffic with known exposed services and current vulnerability state rather than relying only on source IP reputation.
  • Tune for repeated probing, scanning, or exploitation attempts from hosting/VPS address space while accounting for legitimate cloud-hosted scanners, customers, partners, and security testing.
  • Preserve enough network and application log history to investigate source-IP churn and last-hop proxy behavior associated with multi-hop proxy use.
  • Prioritize detections on successful or near-successful exploitation of public-facing applications, including suspicious follow-on outbound connections from exposed hosts.
  • Use threat intelligence enrichment for VPS/ORB-related infrastructure as context, not as proof of malicious activity by itself.

Mitigation priorities

  • Maintain an accurate inventory of internet-facing systems and ownership so vulnerable exposure can be reduced quickly.
  • Prioritize patching and configuration hardening for public-facing applications, services, and management interfaces.
  • Limit unnecessary internet exposure, especially administrative services and management protocols.
  • Use layered controls such as WAF/reverse proxy protections, rate limiting, segmentation, and egress monitoring where appropriate.
  • Prepare IR procedures for suspected exploitation of public-facing systems, including evidence preservation from application, host, and network layers.
Analyst notes and limits

The supplied ATT&CK object describes SPACEHOP Activity as using commercially leased VPS/provisioned ORB networks to enable reconnaissance scanning and vulnerability exploitation, with relationships to Ke3chang and APT5 and to techniques T1583.003, T1588.002, T1190, and T1090.003. The most useful defensive framing is external attack surface management plus perimeter detection that can tolerate fast-changing infrastructure.

MITRE provides no official detection text for this campaign, and the campaign itself lists no specific platforms or tactics. Any assessment of exposure, detection coverage, affected technologies, or incident relevance requires local asset inventory, vulnerability data, and telemetry review. Attribution relationships should not be treated as evidence of current activity in a specific environment.

Official MITRE ATT&CK definition

SPACEHOP Activity

SPACEHOP Activity is conducted through commercially leased Virtual Private Servers (VPS), otherwise known as provisioned Operational Relay Box (ORB) networks. The network leveraged for SPACEHOP Activity enabled China-nexus cyber threat actors – such as APT5 and Ke3chang – to perform network reconnaissance scanning and vulnerability exploitation. SPACEHOP Activity has historically targeted entities in North America, Europe, and the Middle East.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Enterprise T1090.003 Multi-hop Proxy Sub-technique

SPACEHOP Activity has routed traffic through chains of compromised network devices to proxy C2 communications.CitationORB Mandiant
Enterprise T1190 Exploit Public-Facing Application

SPACEHOP Activity has enabled the exploitation of CVE-2022-27518 and CVE-2022-27518 for illegitimate access.CitationNSA APT5 Citrix Threat Hunting December 2022CitationORB Mandiant
Enterprise T1583.003 Virtual Private Server Sub-technique

SPACEHOP Activity has used acquired Virtual Private Servers as control systems for devices within the ORB network.CitationORB Mandiant
Enterprise T1588.002 Tool Sub-technique

SPACEHOP Activity leverages a C2 framework sourced from a publicly-available Github repository for administration of relay nodes.CitationORB Mandiant
Associated objects

Groups, software, and campaigns

Group Enterprise

G1023: APT5

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]

Group Enterprise

G0004: Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Technique T1090.003: Multi-hop Proxy Enterprise attributed to · Group G1023: APT5 Enterprise uses · Technique T1190: Exploit Public-Facing Application Enterprise attributed to · Group G0004: Ke3chang Enterprise uses · Technique T1583.003: Virtual Private Server Enterprise uses · Technique T1588.002: Tool Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fa5f1865c5753fdb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fa5f1865c575…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ORB Mandiant

    Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.

    Open source URL
  2. [2]
    mitre-attack C0052
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use