G0019: Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
Analyst context for executives and security teams
Naikon matters as an espionage-focused intrusion set because the ATT&CK record links it to long-running activity against government, military, civil, and international organizations in Southeast Asia, including UNDP and ASEAN references. For leaders, the decision value is not a single exploit or product gap; it is whether the organization can recognize post-compromise discovery, credential/domain-account abuse, Windows administration-tool misuse, scheduled-task persistence, and custom backdoor activity before sensitive information or operational relationships are exposed.
Executive priority
Prioritize this as a readiness and assurance question for organizations with government, diplomatic, defense, regional, or international-body exposure. Executives should ask whether SOC, identity, endpoint, and network teams can prove visibility into domain account misuse, remote execution through administrative tooling, suspicious scheduled tasks, Office add-in persistence, network/service discovery, FTP-based transfer, and Windows backdoor indicators. The ATT&CK entry provides no official detection guidance, so coverage should be validated through local telemetry, threat-informed testing, and incident response playbooks rather than assumed from tool ownership.
Technical view
ATT&CK does not specify platforms or tactics on the Naikon group object, but the relationships point defenders toward Windows-heavy tradecraft and discovery/persistence behaviors: PsExec, Net, Tasklist, Systeminfo, Ping, netsh, ftp, WMI, Scheduled Task, Domain Accounts, Office Add-ins, masquerading, and network/system discovery. Related Naikon malware includes RARSTONE, SslMM, WinMM, Sys10, HDoor, Aria-body, RainyDay, and Nebulae, all described in the supplied relationships as Windows malware/backdoors where platforms are specified. SOC and IR teams should validate correlation across endpoint process creation, Windows service/task changes, WMI activity, domain authentication, command-line use of built-in utilities, network scanning/discovery, FTP traffic, and malware/backdoor detections tied to the cited software relationships.
Likely telemetry
- Endpoint process creation and command-line telemetry for PsExec, Net, Tasklist, Systeminfo, Ping, netsh, ftp, schtasks/Task Scheduler, and WMI-related execution
- Windows service creation/modification and remote administration events associated with PsExec-like behavior
- Scheduled task creation, modification, and execution records
- Active Directory/domain authentication logs, including unusual use of domain accounts across systems
- WMI operational logs and remote WMI activity where collected
Detection direction
- Because MITRE provides no official detection text for this group object, start with the related techniques and software rather than a single group-level analytic.
- Tune for suspicious combinations: domain-account logon followed by discovery commands, WMI or PsExec remote execution, scheduled-task creation, service/task masquerading, and outbound transfer activity such as FTP.
- Baseline legitimate administrator use of PsExec, Net, netsh, WMI, Task Scheduler, and system discovery tools; these are dual-use utilities and will create false positives without role, host, and maintenance-window context.
- Review coverage for masqueraded task/service names and files placed to resemble legitimate resources, especially where endpoint logging records names but not full paths, hashes, parent processes, or signer metadata.
- Validate whether Office add-in persistence is monitored; many environments inventory Office macros but miss COM/VSTO/XLL/WLL or Outlook add-in persistence paths.
Mitigation priorities
- Harden and monitor domain accounts first: least privilege, privileged-access separation, strong authentication where applicable, and rapid review of unusual account use across hosts.
- Restrict and audit remote administration pathways such as PsExec-style execution, WMI, SMB/admin shares, and scheduled-task based execution to known administrators and management systems.
- Improve endpoint logging for process command lines, parent/child process relationships, service/task creation, file paths, hashes, and signer information.
- Control persistence surfaces by auditing Windows services, scheduled tasks, and Office add-ins; remove unauthorized entries and require change control for administrative persistence mechanisms.
- Limit unnecessary FTP use and monitor approved transfer channels, especially from sensitive networks or hosts handling government, diplomatic, military, or regulated information.
Analyst notes and limits
The supplied ATT&CK description assesses Naikon as state-sponsored and attributed to the PLA Chengdu Military Region Second Technical Reconnaissance Bureau, active since at least 2010, with reported targeting of government, military, civil, and international organizations in Southeast Asia. The strongest practical signal in the supplied data is the relationship set: Windows-oriented custom backdoors plus living-off-the-land utilities and techniques for discovery, remote execution, persistence, masquerading, and domain account abuse.
The Naikon group object has no official detection text, no group-level platforms or tactics, and the supplied relationship snippets are partial for some techniques. This take does not assert current activity, customer exposure, guaranteed detection, or complete Naikon tradecraft. Local asset criticality, identity architecture, logging depth, network controls, and regional mission exposure are required to determine actual risk and coverage.
Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Naikon has used administrator credentials for lateral movement in compromised networks.CitationBitdefender Naikon April 2021 |
| Enterprise | T1018 | Remote System Discovery | Naikon has used a netbios scanner for remote machine identification.CitationBitdefender Naikon April 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Naikon has modified a victim's Windows Run registry to establish persistence.CitationBitdefender Naikon April 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Naikon uses commands such as |
| Enterprise | T1046 | Network Service Discovery | Naikon has used the LadonGo scanner to scan target networks.CitationBitdefender Naikon April 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | Naikon has used WMIC.exe for lateral movement.CitationBitdefender Naikon April 2021 |
| Enterprise | T1137.006 | Add-ins Sub-technique | Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Naikon uses commands such as |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.CitationBitdefender Naikon April 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Naikon has used malicious e-mail attachments to deliver malware.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Naikon renamed a malicious service |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Naikon has used schtasks.exe for lateral movement in compromised networks.CitationBitdefender Naikon April 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Naikon has convinced victims to open malicious attachments to execute malware.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.CitationCheckPoint Naikon May 2020 |
Groups, software, and campaigns
S0095: ftp
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0097: Ping
S0108: netsh
S0059: WinMM
S0096: Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]
S0629: RainyDay
S0630: Nebulae
S0055: RARSTONE
S0061: HDoor
S0060: Sys10
S0058: SslMM
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | f18c598ef368… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CameraShy
ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015.
Open source URL -
[2]
Baumgartner Naikon 2015
Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
Open source URL -
[3]
Baumgartner Golovkin Naikon 2015
Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.
Open source URL -
[4]
Naikon
(Citation: Baumgartner Naikon 2015)(Citation: CameraShy)(Citation: Baumgartner Golovkin Naikon 2015)
-
[5]
mitre-attack G0019Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.