G0022: APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]
Analyst context for executives and security teams
APT3 is an ATT&CK intrusion set with multiple aliases and public reporting tying it to campaigns such as Operation Clandestine Fox, Clandestine Wolf, and Double Tap. For leaders, the value of this object is not the name alone: the related ATT&CK context points to a Windows-heavy intrusion pattern involving remote access tooling, credential theft, discovery, lateral movement, scheduled execution, and possible data exfiltration over command-and-control channels. That makes it useful for validating whether core enterprise controls can withstand a capable espionage-style operator rather than only commodity malware.
Executive priority
Use APT3 as a control-readiness and incident-planning scenario: can the organization detect credential access against LSASS, use of RDP/SMB for lateral movement, scheduled task persistence, PowerShell or cmd execution, internal discovery, and outbound exfiltration-like traffic? The external reporting also references historical Flash zero-day/CVE-focused activity, so vulnerability leaders should ensure legacy client-side software exposure and emergency patch processes are measurable. For compliance and board reporting, this group is a good test case for proving endpoint, identity, network, and IR evidence is retained and usable during an investigation.
Technical view
ATT&CK does not provide a group-level detection statement or explicit group platforms, but the relationships are strongly oriented around Windows behaviors and tools: PlugX, SHOTPUT, schtasks, OSInfo, RemoteCMD, LaZagne, LSASS memory access, RDP, SMB/admin shares, scheduled tasks, PowerShell, and Windows command shell. SOC and IR teams should validate detections across the behavior chain: execution through command interpreters, suspicious scheduled task creation or modification, credential access indicators involving LSASS or password recovery tooling, discovery commands for users/processes/network configuration/remote systems, lateral movement over RDP and SMB, and outbound traffic consistent with C2-based exfiltration. Treat aliases such as Gothic Panda, Pirpi, UPS Team, Buckeye, TG-0110, and Threat Group-0110 as intelligence correlation terms, not standalone detection logic.
Likely telemetry
- Endpoint process creation with command-line arguments, parent/child process context, and script execution details
- PowerShell logging where available, including script block/module activity and encoded or obfuscated command patterns
- Windows scheduled task creation, modification, execution, and schtasks.exe usage
- Windows authentication and logon telemetry for RDP, SMB, administrative shares, and lateral movement paths
- LSASS access events, credential dumping prevention/alert telemetry, and memory access indicators
Detection direction
- Prioritize behavior-based analytics over name matching because the group has many aliases and related tools include both custom and publicly available software.
- Correlate discovery followed by credential access and RDP/SMB activity; each event alone may resemble administration, but the sequence is higher value for detection engineering.
- Tune scheduled task detections for unusual creators, paths, command interpreters, remote creation, and tasks running from user-writable or unexpected locations.
- Validate PowerShell and cmd visibility; missing command-line and script telemetry is a major blind spot for the related execution techniques.
- Review false positives from legitimate administration tools such as schtasks, RDP, SMB, and remote command execution; detections should include user, host role, time, source, and change-ticket context where possible.
Mitigation priorities
- Reduce credential exposure first: enforce least privilege, protect administrative accounts, restrict credential reuse, and harden systems against LSASS credential theft.
- Constrain lateral movement paths by limiting RDP and SMB/admin share access to approved administrators, management hosts, and documented business needs.
- Harden execution surfaces by controlling PowerShell and command-shell abuse, monitoring script execution, and restricting untrusted binaries where feasible.
- Govern scheduled tasks as a persistence and execution surface: baseline known tasks, alert on unusual creation or modification, and review remote task creation permissions.
- Maintain endpoint and network visibility sufficient for IR reconstruction, including process, authentication, scheduled task, and egress logs with adequate retention.
Analyst notes and limits
The supplied ATT&CK object identifies APT3 as a China-based group that researchers have attributed to China’s Ministry of State Security and lists historical campaigns and aliases. The most actionable defensive context comes from the relationships to software and techniques, especially Windows-oriented tooling and behaviors. This take intentionally treats APT3 as a defensive emulation and readiness scenario rather than asserting current activity or exposure.
No official detection text, group-level tactics, or group-level platforms were supplied. Platform and tactic guidance is inferred only from related ATT&CK techniques and software, not from explicit APT3 object fields. Local telemetry, asset inventory, identity architecture, and approved administrative practices are required to decide what is suspicious in a specific environment.
APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | An APT3 downloader creates persistence by creating the following scheduled task: |
| Enterprise | T1104 | Multi-Stage Channels | An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.CitationFireEye Operation Double Tap |
| Enterprise | T1110.002 | Password Cracking Sub-technique | APT3 has been known to brute force password hashes to be able to leverage plain text credentials.CitationAPT3 Adversary Emulation Plan |
| Enterprise | T1564.003 | Hidden Window Sub-technique | APT3 has been known to use |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | APT3 has used tools to dump passwords from browsers.CitationSymantec Buckeye |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | An APT3 downloader uses the Windows command |
| Enterprise | T1016 | System Network Configuration Discovery | A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.CitationSymantec BuckeyeCitationevolution of pirpi |
| Enterprise | T1049 | System Network Connections Discovery | APT3 has a tool that can enumerate current network connections.CitationSymantec BuckeyeCitationFireEye Clandestine FoxCitationevolution of pirpi |
| Enterprise | T1090.002 | External Proxy Sub-technique | An APT3 downloader establishes SOCKS5 connections for its initial C2.CitationFireEye Operation Double Tap |
| Enterprise | T1218.011 | Rundll32 Sub-technique | APT3 has a tool that can run DLLs.CitationFireEye Clandestine Fox |
| Enterprise | T1027 | Obfuscated Files or Information | APT3 obfuscates files or information to help evade defensive measures.CitationSymantec Buckeye |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | APT3 has sent spearphishing emails containing malicious links.CitationFireEye Clandestine Wolf |
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | APT3 has been known to add created accounts to local admin groups to maintain elevated access.Citationaptsim |
| Enterprise | T1204.001 | Malicious Link Sub-technique | APT3 has lured victims into clicking malicious links delivered through spearphishing.CitationFireEye Clandestine Wolf |
| Enterprise | T1041 | Exfiltration Over C2 Channel | APT3 has a tool that exfiltrates data over the C2 channel.CitationFireEye Clandestine Fox |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.CitationSymantec Buckeye |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | APT3 has been known to stage files for exfiltration in a single location.Citationaptsim |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | APT3 leverages valid accounts after gaining credentials for use within the victim domain.CitationSymantec Buckeye |
| Enterprise | T1005 | Data from Local System | APT3 will identify Microsoft Office documents on the victim's computer.Citationaptsim |
| Enterprise | T1203 | Exploitation for Client Execution | APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776.CitationFireEye Clandestine WolfCitationFireEye Clandestine Fox |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.CitationSymantec Buckeye |
| Enterprise | T1574.001 | DLL Sub-technique | APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.CitationFireEye Clandestine FoxCitationFireEye Clandestine Fox Part 2 |
| Enterprise | T1087.001 | Local Account Sub-technique | APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.CitationSymantec Buckeye |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT3 has a tool that can delete files.CitationFireEye Clandestine Fox |
| Enterprise | T1083 | File and Directory Discovery | APT3 has a tool that looks for files and directories on the local file system.CitationFireEye Clandestine FoxCitationevolution of pirpi |
| Enterprise | T1546.008 | Accessibility Features Sub-technique | APT3 replaces the Sticky Keys binary |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | APT3 has used tools to compress data before exfilling it.Citationaptsim |
| Enterprise | T1082 | System Information Discovery | APT3 has a tool that can obtain information about the local system.CitationSymantec BuckeyeCitationevolution of pirpi |
| Enterprise | T1059.001 | PowerShell Sub-technique | APT3 has used PowerShell on victim systems to download and run payloads after exploitation.CitationFireEye Operation Double Tap |
| Enterprise | T1543.003 | Windows Service Sub-technique | APT3 has a tool that creates a new service for persistence.CitationFireEye Operation Double Tap |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."CitationSymantec Buckeye |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | APT3 places scripts in the startup folder for persistence.CitationFireEye Operation Double Tap |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | |
| Enterprise | T1057 | Process Discovery | APT3 has a tool that can list out currently running processes.CitationFireEye Clandestine FoxCitationevolution of pirpi |
| Enterprise | T1095 | Non-Application Layer Protocol | An APT3 downloader establishes SOCKS5 connections for its initial C2.CitationFireEye Operation Double Tap |
| Enterprise | T1069 | Permission Groups Discovery | APT3 has a tool that can enumerate the permissions associated with Windows groups.CitationSymantec Buckeye |
| Enterprise | T1018 | Remote System Discovery | APT3 has a tool that can detect the existence of remote systems.CitationSymantec BuckeyeCitationFireEye Clandestine Fox |
| Enterprise | T1056.001 | Keylogging Sub-technique | APT3 has used a keylogging tool that records keystrokes in encrypted files.CitationSymantec Buckeye |
| Enterprise | T1036.010 | Masquerade Account Name Sub-technique | APT3 has been known to create or enable accounts, such as |
| Enterprise | T1027.002 | Software Packing Sub-technique | APT3 has been known to pack their tools.CitationAPT3 Adversary Emulation PlanCitationFireEye Clandestine Wolf |
| Enterprise | T1136.001 | Local Account Sub-technique | APT3 has been known to create or enable accounts, such as |
| Enterprise | T1105 | Ingress Tool Transfer | APT3 has a tool that can copy files to remote machines.CitationFireEye Clandestine Fox |
| Enterprise | T1033 | System Owner/User Discovery | An APT3 downloader uses the Windows command |
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | APT3 has been known to remove indicators of compromise from tools.CitationAPT3 Adversary Emulation Plan |
Groups, software, and campaigns
S0165: OSInfo
S0111: schtasks
S0013: PlugX
S0349: LaZagne
S0063: SHOTPUT
S0166: RemoteCMD
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | ec7ee360150a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Clandestine Wolf
Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
Open source URL -
[2]
Recorded Future APT3 May 2017
Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved September 16, 2024.
Open source URL -
[3]
FireEye Operation Double Tap
Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
Open source URL -
[4]
Symantec Buckeye
Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
Open source URL -
[5]
APT3
(Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
-
[6]
Buckeye
(Citation: Symantec Buckeye)
-
[7]
Gothic Panda
(Citation: PWC Pirpi Scanbox) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
-
[8]
PWC Pirpi Scanbox
Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016.
Open source URL -
[9]
Pirpi
(Citation: PWC Pirpi Scanbox)
-
[10]
TG-0110
(Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
-
[11]
Threat Group-0110
(Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
-
[12]
UPS Team
(Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
-
[13]
mitre-attack G0022Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.