G0004: Ke3chang
Analyst context for executives and security teams
Ke3chang is an ATT&CK group entry for a China-attributed threat group with reported targeting of oil, government, diplomatic, military, and NGO organizations across multiple regions since at least 2010. The practical risk is not one malware family; it is the pattern shown by the relationships: credential theft, Windows discovery, SMB/admin-share lateral movement, SharePoint enumeration/data dumping, remote access tooling, and automated exfiltration. For leaders, this makes Ke3chang useful as a scenario for testing whether identity, endpoint, domain controller, SharePoint, and egress monitoring can work together during a targeted intrusion.
Executive priority
Prioritize this as an identity and data-protection readiness use case, especially for organizations in or adjacent to the listed sectors or regions. The ATT&CK relationships point to behaviors that can turn one compromised Windows host into broader domain access and sensitive data collection. Executives should ask whether the organization can prove control coverage for credential dumping, Active Directory database access, SMB lateral movement, SharePoint data access, and suspicious outbound infrastructure such as leased VPS/ORB networks described in the SPACEHOP relationship.
Technical view
ATT&CK does not provide a detection section for this group, so teams should validate coverage from the related software and techniques. The strongest defensive thread is Windows-centric: Mimikatz; LSASS, SAM, NTDS, and LSA Secrets credential access; Net, Tasklist, Systeminfo, Ping, ipconfig, and netstat discovery; SMB/Windows Admin Shares; and malware/tools including MirageFox, Okrum, Neoichor, and spwebmember. Detection engineering should correlate sequences rather than rely only on single command names, because several related utilities are legitimate administration tools.
Likely telemetry
- Endpoint process creation and command-line telemetry for Net, Tasklist, Systeminfo, Ping, ipconfig, netstat, and related discovery activity
- Windows security and EDR telemetry for LSASS access, SAM/LSA secret access, and credential dumping tools such as Mimikatz
- Domain controller monitoring for NTDS.dit access, copies, backups, or unusual administrative access patterns
- SMB and Windows admin share activity, including remote file access and lateral movement indicators
- SharePoint and web/application logs relevant to enumeration or data dumping activity associated with spwebmember-style behavior
Detection direction
- Build detections around behavior chains: discovery commands followed by credential access, then SMB/admin-share movement, then collection or exfiltration.
- Tune carefully for legitimate administration, since Net, Ping, ipconfig, netstat, Tasklist, and Systeminfo are common utilities; prioritize unusual users, hosts, timing, remote execution context, and clustering across multiple discovery commands.
- Validate high-fidelity monitoring on domain controllers and privileged workstations for LSASS, SAM, LSA Secrets, and NTDS access rather than assuming endpoint coverage applies uniformly.
- Use the SPACEHOP relationship as context for network analytics: leased VPS infrastructure alone is noisy, but it becomes higher priority when paired with scanning, vulnerability exploitation, remote access, or post-compromise activity.
- Include SharePoint and collaboration-data monitoring in scope where applicable, because the related spwebmember tool indicates enumeration and data dumping risk outside traditional endpoint-only visibility.
Mitigation priorities
- Start with identity hardening: reduce standing administrative privileges, protect privileged accounts, and monitor access to domain controllers and credential stores.
- Harden and monitor Windows lateral movement paths, especially SMB and administrative shares, and ensure administrative activity is attributable to known users and systems.
- Improve endpoint controls around credential dumping and suspicious access to LSASS, SAM, LSA Secrets, and NTDS-related material.
- Inventory and monitor SharePoint or similar sensitive repositories where enumeration and bulk data access would create business impact.
- Use vulnerability management and exposure reduction for internet-facing and remotely reachable systems, consistent with the SPACEHOP relationship describing reconnaissance scanning and vulnerability exploitation.
Analyst notes and limits
This group entry is most useful as a threat-informed validation package: it connects targeted-sector intelligence with concrete ATT&CK relationships defenders can test. The aliases are numerous, including APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL, and Nylon Typhoon, so threat intelligence teams should normalize naming before comparing reporting or detections.
The supplied group object has no official detection text, no group-level platforms, and no group-level tactics. Platform and tactic guidance here is derived only from the supplied related software and technique objects. Local telemetry, business context, asset exposure, and confirmed tool coverage are required before making claims about organizational exposure or detection maturity.
Ke3chang
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.CitationNCC Group APT15 Alive and StrongCitationMicrosoft NICKEL December 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Ke3chang has used tools to download files to compromised machines.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1087.001 | Local Account Sub-technique | Ke3chang performs account discovery using commands such as |
| Enterprise | T1033 | System Owner/User Discovery | Ke3chang has used implants capable of collecting the signed-in username.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Ke3chang has used implants to collect the system language ID of a compromised machine.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Ke3chang performs account discovery using commands such as |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1558.001 | Golden Ticket Sub-technique | |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.CitationMandiant Operation Ke3chang November 2014CitationNCC Group APT15 Alive and Strong |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.CitationMandiant Operation Ke3chang November 2014 |
| Enterprise | T1119 | Automated Collection | Ke3chang has performed frequent and scheduled data collection from victim networks.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1083 | File and Directory Discovery | Ke3chang uses command-line interaction to search files and directories.CitationMandiant Operation Ke3chang November 2014CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1133 | External Remote Services | Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates.CitationNCC Group APT15 Alive and StrongCitationMicrosoft NICKEL December 2021 |
| Enterprise | T1018 | Remote System Discovery | |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Ke3chang has dumped credentials, including by using gsecdump.CitationMandiant Operation Ke3chang November 2014CitationNCC Group APT15 Alive and Strong |
| Enterprise | T1016 | System Network Configuration Discovery | Ke3chang has performed local network configuration discovery using |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1020 | Automated Exfiltration | Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1007 | System Service Discovery | Ke3chang performs service discovery using |
| Enterprise | T1543.003 | Windows Service Sub-technique | Ke3chang backdoor RoyalDNS established persistence through adding a service called |
| Enterprise | T1190 | Exploit Public-Facing Application | Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Ke3chang has dropped their malware into legitimate installed software paths including: `C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe`, `C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe`, `C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe`, and `C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe`.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1005 | Data from Local System | Ke3chang gathered information and files from local directories for exfiltration.CitationMandiant Operation Ke3chang November 2014CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1071.004 | DNS Sub-technique | Ke3chang malware RoyalDNS has used DNS for C2.CitationNCC Group APT15 Alive and Strong |
| Enterprise | T1213.002 | Sharepoint Sub-technique | Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.CitationNCC Group APT15 Alive and Strong |
| Enterprise | T1027 | Obfuscated Files or Information | Ke3chang has used Base64-encoded shellcode strings.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1059 | Command and Scripting Interpreter | Malware used by Ke3chang can run commands on the command-line interface.CitationMandiant Operation Ke3chang November 2014CitationNCC Group APT15 Alive and Strong |
| Enterprise | T1036.002 | Right-to-Left Override Sub-technique | Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.CitationMandiant Operation Ke3chang November 2014 |
| Enterprise | T1560 | Archive Collected Data | The Ke3chang group has been known to compress data before exfiltration.CitationMandiant Operation Ke3chang November 2014 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Ke3chang performs discovery of permission groups |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.CitationMandiant Operation Ke3chang November 2014CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1003.003 | NTDS Sub-technique | Ke3chang has used NTDSDump and other password dumping tools to gather credentials.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1057 | Process Discovery | Ke3chang performs process discovery using |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1587.001 | Malware Sub-technique | Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.CitationNCC Group APT15 Alive and StrongCitationMicrosoft NICKEL December 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Ke3chang has used batch scripts in its malware to install persistence mechanisms.CitationNCC Group APT15 Alive and Strong |
| Enterprise | T1078 | Valid Accounts | Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1583.005 | Botnet Sub-technique | Ke3chang has utilized an ORB (operational relay box) network for reconnaissance and vulnerability exploitation.CitationORB Mandiant |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Several Ke3chang backdoors achieved persistence by adding a Run key.CitationNCC Group APT15 Alive and Strong |
| Enterprise | T1049 | System Network Connections Discovery | Ke3chang performs local network connection discovery using |
| Enterprise | T1056.001 | Keylogging Sub-technique | Ke3chang has used keyloggers.CitationNCC Group APT15 Alive and StrongCitationMicrosoft NICKEL December 2021 |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | Ke3chang has dumped credentials, including by using gsecdump.CitationMandiant Operation Ke3chang November 2014CitationNCC Group APT15 Alive and Strong |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | Ke3chang has used compromised credentials to sign into victims’ Microsoft 365 accounts.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1082 | System Information Discovery | Ke3chang performs operating system information discovery using |
Groups, software, and campaigns
S0097: Ping
S0439: Okrum
S0096: Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]
S0104: netstat
S0227: spwebmember
spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. [1]
S0002: Mimikatz
S0057: Tasklist
S0280: MirageFox
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0691: Neoichor
S0100: ipconfig
C0052: SPACEHOP Activity
SPACEHOP Activity is conducted through commercially leased Virtual Private Servers (VPS), otherwise known as provisioned Operational Relay Box (ORB) networks. The network leveraged for SPACEHOP Activity enabled China-nexus cyber threat actors – such as APT5 and Ke3chang – to perform network reconnaissance scanning and vulnerability exploitation. SPACEHOP Activity has historically targeted entities in North America, Europe, and the Middle East.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.1 | Current bundle | f3336ac68b3c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Operation Ke3chang November 2014
Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
Open source URL -
[2]
NCC Group APT15 Alive and Strong
Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
Open source URL -
[3]
APT15 Intezer June 2018
Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
Open source URL -
[4]
Microsoft NICKEL December 2021
MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
Open source URL -
[5]
APT15
(Citation: NCC Group APT15 Alive and Strong)
-
[6]
GREF
(Citation: NCC Group APT15 Alive and Strong)
-
[7]
Ke3chang
(Citation: Villeneuve et al 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: APT15 Intezer June 2018)
-
[8]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[9]
Mirage
(Citation: NCC Group APT15 Alive and Strong)
-
[10]
NICKEL
(Citation: Microsoft NICKEL December 2021)
-
[11]
Nylon Typhoon
(Citation: Microsoft Threat Actor Naming July 2023)
-
[12]
Playful Dragon
(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)
-
[13]
RoyalAPT
(Citation: APT15 Intezer June 2018)
-
[14]
Villeneuve et al 2014
Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
Open source URL -
[15]
Vixen Panda
(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)
-
[16]
mitre-attack G0004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.