Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0023: APT16

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. [1]

EnterpriseG0023GroupObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

APT16 is documented by ATT&CK as a China-based group associated with spearphishing campaigns against Japanese and Taiwanese organizations. The limited ATT&CK context still has practical value: it points leaders and defenders toward email-driven intrusion readiness, third-party/compromised-server infrastructure awareness, and response planning for a Windows HTTP backdoor relationship through ELMER.

Executive priority

Treat this as a focused threat-intelligence input rather than a complete risk profile. Organizations with operations, partners, executives, suppliers, or sensitive business activity connected to Japan or Taiwan should validate whether phishing defense, user reporting, incident triage, and Windows endpoint visibility can support timely decisions. The associated resource-development technique also reinforces the need to avoid relying only on known-bad infrastructure lists, because compromised third-party servers may be used in operations.

Technical view

ATT&CK does not provide tactics, platforms, or detection guidance directly for the APT16 group object. Relationship context adds two defensive anchors: APT16 has used ELMER, described as a non-persistent, proxy-aware HTTP backdoor written in Delphi for Windows, and has used T1584.004 Server under resource development. SOC and IR teams should therefore validate phishing investigation workflows, Windows endpoint evidence for suspicious HTTP backdoor behavior where ELMER is in scope, and network/proxy/DNS visibility that can support analysis of traffic to suspicious or compromised external servers.

Likely telemetry

  • Email security gateway and mailbox telemetry for spearphishing investigations
  • User-reported phishing submissions and security awareness reporting records
  • Endpoint detection and response data from Windows systems, where available
  • Process execution, network connection, and proxy-aware application behavior on Windows endpoints
  • Web proxy, firewall, DNS, and HTTP connection logs for outbound traffic analysis

Detection direction

  • Do not build coverage around the group name alone; map detections to observable behaviors from the relationships: spearphishing, Windows backdoor activity associated with ELMER, and use of compromised servers for staging or command and control.
  • Validate that phishing detections preserve enough evidence for IR decisions, including sender, URL, attachment, delivery, click/open, and user-report context.
  • Tune network analytics for suspicious outbound HTTP patterns while accounting for false positives from normal proxy-aware business applications and legitimate third-party services.
  • Where ELMER-specific intelligence is used, separate durable behavioral logic from brittle indicators, because the supplied ATT&CK text identifies the software but does not provide detection rules or indicators.
  • Review visibility gaps around encrypted web traffic, unmanaged endpoints, remote users, and logs with short retention, as these can limit reconstruction of phishing-to-backdoor activity.

Mitigation priorities

  • Prioritize phishing resilience: email filtering, user reporting paths, awareness reinforcement, and rapid mailbox/endpoint containment procedures.
  • Ensure Windows endpoint monitoring and response coverage is sufficient for investigating suspicious process and outbound HTTP activity related to backdoor behavior.
  • Strengthen egress monitoring through proxy, DNS, firewall, and logging controls so defenders can investigate connections to suspicious or compromised third-party servers.
  • Use threat intelligence as enrichment, not the only control, because the related technique explicitly allows use of compromised servers that may appear legitimate.
  • Document detection and response coverage as compliance and audit evidence for phishing-led intrusion scenarios where this threat context is relevant.
Analyst notes and limits

The ATT&CK object is sparse: it identifies APT16, a China-based group, spearphishing campaigns targeting Japanese and Taiwanese organizations, and relationships to ELMER and T1584.004 Server. The defensive value comes from translating those relationships into validation questions for email security, Windows endpoint monitoring, outbound web telemetry, and IR readiness.

No official ATT&CK detection text is provided for the group object, and the group object itself lists no platforms or tactics. Relationship-derived details should be used carefully: ELMER provides Windows context, and T1584.004 provides resource-development context, but local exposure, active targeting, and detection effectiveness require environment-specific evidence.

Official MITRE ATT&CK definition

APT16

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1584.004 Server Sub-technique

APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.CitationFireEye EPS Awakens Part 2
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

uses · Technique T1584.004: Server Enterprise uses · Malware S0064: ELMER Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
ba5d1ce8db3f3d1f...
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye EPS Awakens Part 2

    Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.

    Open source URL
  2. [2]
    APT16

    (Citation: FireEye EPS Awakens Part 2)

  3. [3]
    mitre-attack G0023
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use