G0026: APT18
Analyst context for executives and security teams
APT18 is an ATT&CK group entry describing a long-running threat group reported since at least 2009 with targeting across technology, manufacturing, human rights, government, and medical sectors. The decision value is not the name alone: the associated relationships point to credential use, external remote access, Windows command execution, persistence, discovery, file transfer, deletion, and web/DNS command-and-control patterns. For leaders, this is a useful scenario for testing whether identity controls, endpoint visibility, and network egress monitoring work together during a real intrusion investigation.
Executive priority
Prioritize this as an operational resilience and readiness scenario rather than as proof of current exposure. Executives should ask whether remote access services are strongly authenticated and logged, whether SOC teams can connect suspicious logins to endpoint activity, and whether DNS/web traffic can support incident response. Because ATT&CK provides no official detection text and no group-level platforms or tactics, audit and budget decisions should focus on validating control coverage for the related techniques and software, not on the group name itself.
Technical view
The relationship set is heavily useful for SOC and IR validation. Confirm visibility for Windows command shell activity, at-based scheduling, registry run keys/startup folders, file deletion, file and directory discovery, system information discovery, ingress tool transfer, valid account abuse, and external remote services. Network detection should include web-protocol and DNS-based command-and-control patterns, especially given the related Pisloader note about DNS C2 and anti-analysis, and HTTPBrowser/gh0st RAT/hcdLoader relationships. Treat these relationships as analytic context, not attribution proof, because several related tools are public or used by multiple groups.
Likely telemetry
- Identity provider, VPN, remote access, and externally exposed service authentication logs
- Endpoint process creation telemetry, especially cmd.exe and child-process chains
- Scheduled execution evidence, including at utility usage where present
- Windows Registry Run key and Startup folder modification events
- Endpoint file creation, deletion, rename, and transfer events
Detection direction
- Build correlation around suspicious remote-service login followed by command shell execution, discovery, tool transfer, persistence creation, and cleanup activity.
- Tune detections for cmd.exe, at, file deletion, and discovery commands against administrative baselines to reduce false positives from legitimate operations.
- Validate DNS monitoring for unusual query patterns, rare domains, high-volume or structured subdomain activity, and other indicators consistent with DNS-based C2, without assuming every anomaly is malicious.
- Validate web egress monitoring for unusual client behavior, rare destinations, and process-to-network relationships where endpoint telemetry is available.
- Alert on new or modified Run keys and Startup folder entries, especially when preceded by remote access, tool transfer, or command shell activity.
Mitigation priorities
- Start with identity and remote access controls: enforce strong authentication, review externally accessible services, and ensure credential abuse investigations have complete logs.
- Harden and monitor endpoint execution paths, including command shell use, scheduled execution, and persistence locations such as Run keys and Startup folders.
- Restrict and inspect outbound DNS and web traffic according to business need, with logging retained for incident response.
- Improve endpoint file telemetry and response procedures for tool transfer, suspicious file creation, encoded artifacts, and deletion activity.
- Maintain incident response playbooks that connect identity events, endpoint process activity, persistence, and DNS/web egress into one investigation timeline.
Analyst notes and limits
APT18 is also listed with aliases TG-0416, Dynamite Panda, and Threat Group-0416. The supplied relationships include software and techniques that make this entry useful for detection engineering even though the group object itself has sparse platform and tactic fields. The most actionable defensive theme is integrated coverage across identity, remote access, Windows endpoint activity, persistence, and DNS/web egress.
MITRE provides no official detection text for this object, and the group-level platforms and tactics are not specified. The relationships support defensive planning but do not prove current activity, customer exposure, or attribution in a local incident. Local telemetry, asset scope, authentication architecture, and baseline administrative behavior are required to determine actual risk and coverage.
APT18
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078 | Valid Accounts | APT18 actors leverage legitimate credentials to log into external remote services.CitationRSA2017 Detect and Respond Adair |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APT18 obfuscates strings in the payload.CitationPaloAlto DNS Requests May 2016 |
| Enterprise | T1133 | External Remote Services | APT18 actors leverage legitimate credentials to log into external remote services.CitationRSA2017 Detect and Respond Adair |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT18 actors deleted tools and batch files from victim systems.CitationDell Lateral Movement |
| Enterprise | T1053.002 | At Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | APT18 can upload a file to the victim’s machine.CitationPaloAlto DNS Requests May 2016 |
| Enterprise | T1071.004 | DNS Sub-technique | APT18 uses DNS for C2 communications.CitationPaloAlto DNS Requests May 2016 |
| Enterprise | T1082 | System Information Discovery | APT18 can collect system information from the victim’s machine.CitationPaloAlto DNS Requests May 2016 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | APT18 uses HTTP for C2 communications.CitationPaloAlto DNS Requests May 2016 |
| Enterprise | T1083 | File and Directory Discovery | APT18 can list files information for specific directories.CitationPaloAlto DNS Requests May 2016 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | APT18 uses cmd.exe to execute commands on the victim’s machine.CitationPaloAlto DNS Requests May 2016CitationAnomali Evasive Maneuvers July 2015 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | APT18 establishes persistence via the |
Groups, software, and campaigns
S0071: hcdLoader
S0032: gh0st RAT
S0106: cmd
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [1]
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [2]), deleting files (e.g., del [3]), and copying files (e.g., copy [4]).
S0124: Pisloader
Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group. [1]
S0070: HTTPBrowser
HTTPBrowser is malware that has been used by several threat groups. [1] [2] It is believed to be of Chinese origin. [3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 48fa13a349da… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dell Lateral Movement
Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
Open source URL -
[2]
APT18
(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)
-
[3]
Anomali Evasive Maneuvers July 2015
Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.
Open source URL -
[4]
Dynamite Panda
(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)
-
[5]
TG-0416
(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)
-
[6]
Threat Group-0416
(Citation: ThreatStream Evasion Analysis)
-
[7]
ThreatStream Evasion Analysis
Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
Open source URL -
[8]
mitre-attack G0026Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.