Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0025: APT17

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. [1]

EnterpriseG0025GroupObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

APT17, also known as Deputy Dog, is an ATT&CK group entry for a China-based threat group reported to have conducted intrusions against U.S. government, defense, legal, IT, mining, and NGO organizations. The decision value for defenders is less about treating the group name as a detector and more about validating readiness for the behaviors ATT&CK links to it: use of BLACKCOFFEE malware and pre-intrusion resource development through web services and established accounts.

Executive priority

Use this object to drive threat-informed control validation for organizations in or adjacent to the sectors named by ATT&CK. Leaders should ask whether SOC, incident response, and threat intelligence teams can connect suspicious Windows malware activity, external account/persona infrastructure, and abuse of common web services into a single investigation narrative. This is also useful for audit and resilience conversations: can the organization show evidence that externally hosted services, suspicious accounts, and endpoint malware leads are monitored, triaged, and escalated before they become business disruption?

Technical view

ATT&CK does not provide a detection section, platforms, or tactics directly for APT17, so technical validation should be based on the supplied relationships. BLACKCOFFEE is listed as related software and has Windows as its platform, while Web Services and Establish Accounts are resource-development techniques on PRE platforms. SOC and IR teams should validate whether they can detect and investigate Windows malware indicators tied to known tooling, correlate suspicious external web-service use or account infrastructure from threat intelligence, and preserve enough endpoint, proxy, DNS, identity, and case-management context to support attribution-agnostic response.

Likely telemetry

  • Endpoint detection and response telemetry from Windows systems relevant to suspected malware activity
  • Host process, file, registry, and network connection evidence for malware triage
  • DNS, proxy, secure web gateway, and firewall logs showing access to external web services
  • Threat intelligence records for suspicious accounts, personas, domains, or web-service infrastructure
  • Email and collaboration security logs where external accounts or web services may be used in targeting workflows

Detection direction

  • Do not build coverage solely around the APT17 name; validate detections against the related software and techniques supplied by ATT&CK.
  • For BLACKCOFFEE-related readiness, confirm Windows endpoint telemetry is retained and searchable enough to support malware investigation and scoping.
  • For Web Services and Establish Accounts, tune intelligence-led monitoring for suspicious or newly observed external services and accounts while accounting for common legitimate business use of public platforms.
  • Correlate endpoint alerts with DNS/proxy activity and identity context to reduce false positives from normal SaaS, social media, legal research, recruiting, vendor, or NGO engagement activity.
  • Document blind spots where pre-compromise resource development occurs outside the enterprise perimeter and may only be visible through threat intelligence, email security, web logs, or incident reporting.

Mitigation priorities

  • Prioritize telemetry completeness first: Windows endpoint visibility, DNS/proxy logging, and identity/access logs are foundational for the relationships supplied.
  • Maintain threat intelligence workflows that can track aliases, related malware, and suspicious external account or web-service infrastructure without assuming attribution.
  • Harden investigation playbooks so malware detections, suspicious web-service usage, and external account indicators are triaged together rather than in separate queues.
  • Use sector relevance from the ATT&CK description to guide tabletop exercises and executive escalation criteria, especially for government, defense, legal, IT, mining, and NGO contexts.
  • Review retention, logging, and evidence-handling requirements so incident responders can reconstruct activity across endpoint, network, identity, and external intelligence sources.
Analyst notes and limits

The ATT&CK object identifies APT17/Deputy Dog and cites FireEye reporting. The supplied relationships are limited but useful: BLACKCOFFEE malware, Web Services, and Establish Accounts. This supports a defensive focus on Windows malware investigation and pre-intrusion resource-development awareness, not a claim of current activity or guaranteed exposure.

Official detection guidance, direct platforms, and direct tactics for the group object were not provided. Any local priority rating should be based on the organization’s sector, exposure, telemetry maturity, and whether related indicators or behaviors are observed in its own environment.

Official MITRE ATT&CK definition

APT17

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
29b62c401ff83b2b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 29b62c401ff8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye APT17

    FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    APT17

    (Citation: FireEye APT17)

  3. [3]
    Deputy Dog

    (Citation: FireEye APT17)

  4. [4]
    mitre-attack G0025
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use