G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
Analyst context for executives and security teams
Threat Group-3390 matters because MITRE describes it as a long-running Chinese threat group associated with strategic Web compromises and targeting of aerospace, government, defense, technology, energy, manufacturing, and gambling/betting organizations. For leaders, the practical issue is not a single indicator but readiness against intrusion paths that can start through trusted websites or Web-facing infrastructure and then move into credential theft, remote access, discovery, and backdoor activity using a mix of public tools, native utilities, and custom malware.
Executive priority
Prioritize this as a resilience and assurance problem for high-value environments, especially where sector exposure overlaps MITRE’s listed targeting. Executives should ask whether Web-facing systems, Windows credential stores, privileged accounts, and remote administration paths have defensible monitoring and response playbooks. The relationship set includes credential dumpers, Web shells, RATs/backdoors, Cobalt Strike, Impacket, and native Windows utilities, so budget and audit discussions should focus on whether the organization can prove coverage across initial Web access, credential protection, lateral movement investigation, and containment.
Technical view
ATT&CK provides no group-level detection text or tactics for this object, so defenders should validate coverage from the related software relationships. Focus on Windows-heavy tradecraft shown by Mimikatz, Windows Credential Editor, pwdump, gsecdump, PlugX, China Chopper, ASPXSpy, gh0st RAT, Net, Tasklist, Systeminfo, ipconfig, netstat, certutil, Impacket, HyperBro, ZxShell, Clambling, RCSession, SysUpdate, Pandora, and Cobalt Strike. SOC and IR teams should test whether they can connect Web server anomalies to endpoint process execution, credential dumping signals, unusual administrative command use, remote service activity, and persistence/backdoor findings without relying on one malware signature.
Likely telemetry
- Web server access logs, error logs, file integrity monitoring, and records of newly created or modified server-side scripts relevant to Web shell concerns such as China Chopper and ASPXSpy
- Endpoint process creation, command-line, module load, service creation, scheduled task, and memory-related telemetry on Windows systems
- Authentication logs, privileged account activity, LSASS/credential access alerts, and password/hash dumping indicators relevant to Mimikatz, WCE, pwdump, and gsecdump
- Network connection metadata, DNS, proxy, firewall, and EDR network events for RAT/backdoor and Cobalt Strike-like remote access behavior
- Windows administrative utility usage telemetry for Net, Tasklist, Systeminfo, ipconfig, netstat, and certutil, including parent-child process context
Detection direction
- Because MITRE does not provide official detection guidance for this group object, build detections around the related tools and behaviors rather than the group name alone.
- Correlate suspicious Web server file changes or abnormal requests with subsequent process execution, outbound connections, or internal reconnaissance from the same host.
- Tune detections for credential dumping and access to sensitive Windows credential material, while accounting for legitimate administrative and security testing tools that can resemble Mimikatz, Impacket, or Cobalt Strike usage.
- Baseline native utility usage on servers and privileged workstations; commands such as net, tasklist, systeminfo, ipconfig, netstat, and certutil are common, so detection value depends on context, user, host role, timing, and command arguments.
- Watch for clusters: Web shell evidence plus credential dumping plus internal discovery or RAT/backdoor activity should raise priority over isolated commodity-tool alerts.
Mitigation priorities
- Start with exposure management for Internet-facing Web infrastructure and rapid investigation of unexpected Web server script changes, because MITRE highlights strategic Web compromises and related Web shell use.
- Harden credential access paths: reduce standing privilege, protect administrative credentials, monitor credential dumping behavior, and enforce disciplined privileged access workflows.
- Limit and monitor remote administration and lateral movement channels, including Windows administrative utilities and protocol activity associated with tools such as Impacket.
- Maintain EDR, centralized logging, and retention sufficient to reconstruct activity from Web access through endpoint execution and authentication events.
- Prepare IR playbooks for Web shell discovery, credential compromise, and backdoor/RAT containment, including account resets and scope determination.
Analyst notes and limits
This take is based on the official ATT&CK group description and the supplied relationship context. The most useful defensive signal is the pattern of related software: Web shells, credential dumpers, RATs/backdoors, Cobalt Strike, Impacket, and native utilities. That combination points to the need for cross-domain telemetry correlation across Web, endpoint, identity, and network data.
ATT&CK supplies no official detection text, no tactics, and no platforms on the group object itself. Sector targeting and aliases come from the supplied ATT&CK description and references, but local risk depends on the organization’s exposure, geography, technology stack, and telemetry quality. This summary does not assert current activity, customer exposure, or confirmed detection coverage.
Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1068 | Exploitation for Privilege Escalation | Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges.CitationSecureWorks BRONZE UNION June 2017CitationProfero APT27 December 2020 |
| Enterprise | T1030 | Data Transfer Size Limits | Threat Group-3390 actors have split RAR files for exfiltration into parts.CitationDell TG-3390 |
| Enterprise | T1190 | Exploit Public-Facing Application | Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1046 | Network Service Discovery | Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.CitationDell TG-3390CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1053.002 | At Sub-technique | Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.CitationDell TG-3390 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | A Threat Group-3390 tool can spawn `svchost.exe` and inject the payload into that process.CitationNccgroup Emissary Panda May 2018CitationSecurelist LuckyMouse June 2018 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1203 | Exploitation for Client Execution | Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Threat Group-3390 has exfiltrated stolen data to Dropbox.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.CitationDell TG-3390CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Threat Group-3390 has used command-line interfaces for execution.CitationSecureWorks BRONZE UNION June 2017CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1555.005 | Password Managers Sub-technique | Threat Group-3390 obtained a KeePass database from a compromised host.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Threat Group-3390 has used e-mail to deliver malicious attachments to victims.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1012 | Query Registry | A Threat Group-3390 tool can read and decrypt stored Registry values.CitationNccgroup Emissary Panda May 2018 |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.CitationDell TG-3390CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1027.015 | Compression Sub-technique | Threat Group-3390 malware is compressed with LZNT1 compression.CitationNccgroup Emissary Panda May 2018CitationSecurelist LuckyMouse June 2018CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Threat Group-3390 has lured victims into opening malicious files containing malware.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Threat Group-3390 has used `whoami` to collect system user information.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | Threat Group-3390 has hosted malicious payloads on Dropbox.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Threat Group-3390 has used a variety of Web shells.CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Threat Group-3390's malware can add a Registry key to `Software\Microsoft\Windows\CurrentVersion\Run` for persistence.CitationNccgroup Emissary Panda May 2018CitationLunghi Iron Tiger Linux |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder.CitationNccgroup Emissary Panda May 2018CitationSecurelist LuckyMouse June 2018CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Threat Group-3390's malware can create a new service, sometimes naming it after the config information, to gain persistence.CitationNccgroup Emissary Panda May 2018CitationLunghi Iron Tiger Linux |
| Enterprise | T1199 | Trusted Relationship | Threat Group-3390 has compromised third party service providers to gain access to victim's environments.CitationProfero APT27 December 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Threat Group-3390 actors use NBTscan to discover vulnerable systems.CitationDell TG-3390 |
| Enterprise | T1105 | Ingress Tool Transfer | Threat Group-3390 has downloaded additional malware and tools, including through the use of `certutil`, onto a compromised host .CitationDell TG-3390CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.CitationDell TG-3390CitationHacker News LuckyMouse June 2018CitationSecurelist LuckyMouse June 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Threat Group-3390 has used PowerShell for execution.CitationSecureWorks BRONZE UNION June 2017CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1078 | Valid Accounts | Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.CitationDell TG-3390 |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | Threat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest.CitationGallagher 2015 |
| Enterprise | T1588.002 | Tool Sub-technique | Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor.CitationUnit42 Emissary Panda May 2019CitationDell TG-3390 |
| Enterprise | T1018 | Remote System Discovery | Threat Group-3390 has used the |
| Enterprise | T1583.001 | Domains Sub-technique | Threat Group-3390 has registered domains for C2.CitationLunghi Iron Tiger Linux |
| Enterprise | T1189 | Drive-by Compromise | Threat Group-3390 has extensively used strategic web compromises to target victims.CitationDell TG-3390CitationSecurelist LuckyMouse June 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.CitationSecurelist LuckyMouse June 2018 |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.CitationDell TG-3390CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1133 | External Remote Services | Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.CitationDell TG-3390 Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1005 | Data from Local System | Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1087.001 | Local Account Sub-technique | Threat Group-3390 has used |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | Threat Group-3390 has compromised the Able Desktop installer to gain access to victim's environments.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.CitationNccgroup Emissary Panda May 2018 |
| Enterprise | T1119 | Automated Collection | Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1560.002 | Archive via Library Sub-technique | Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Threat Group-3390 has packed malware and tools, including using VMProtect.CitationTrend Micro DRBControl February 2020CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1588.003 | Code Signing Certificates Sub-technique | Threat Group-3390 has obtained stolen valid certificates, including from VMProtect and the Chinese instant messaging application Youdu, for their operations.CitationLunghi Iron Tiger Linux |
| Enterprise | T1047 | Windows Management Instrumentation | A Threat Group-3390 tool can use WMI to execute a binary.CitationNccgroup Emissary Panda May 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Threat Group-3390 malware has used HTTP for C2.CitationSecurelist LuckyMouse June 2018 |
| Enterprise | T1070.005 | Network Share Connection Removal Sub-technique | Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1021.006 | Windows Remote Management Sub-technique | Threat Group-3390 has used WinRM to enable remote execution.CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1574.001 | DLL Sub-technique | Threat Group-3390 has performed DLL search order hijacking to execute their payload.CitationNccgroup Emissary Panda May 2018 Threat Group-3390 has also used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as `rc.exe`, a legitimate Microsoft Resource Compiler.CitationDell TG-3390CitationSecureWorks BRONZE UNION June 2017CitationSecurelist LuckyMouse June 2018CitationUnit42 Emissary Panda May 2019CitationLunghi Iron Tiger Linux |
| Enterprise | T1070.004 | File Deletion Sub-technique | Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.CitationSecureWorks BRONZE UNION June 2017CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1685.001 | Disable or Modify Windows Event Log Sub-technique | Threat Group-3390 has used appcmd.exe to disable logging on a victim server.CitationSecureWorks BRONZE UNION June 2017 |
| Enterprise | T1608.002 | Upload Tool Sub-technique | Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites.CitationDell TG-3390 |
| Enterprise | T1112 | Modify Registry | A Threat Group-3390 tool has created new Registry keys under `HKEY_CURRENT_USER\Software\Classes\` and `HKLM\SYSTEM\CurrentControlSet\services`.CitationNccgroup Emissary Panda May 2018CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1210 | Exploitation of Remote Services | Threat Group-3390 has exploited MS17-010 to move laterally to other systems on the network.CitationUnit42 Emissary Panda May 2019 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.CitationSecureWorks BRONZE UNION June 2017 |
Groups, software, and campaigns
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0096: Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]
S0008: gsecdump
S0013: PlugX
S0073: ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0002: Mimikatz
S0357: Impacket
S0032: gh0st RAT
S0160: certutil
S0020: China Chopper
S0070: HTTPBrowser
HTTPBrowser is malware that has been used by several threat groups. [1] [2] It is believed to be of Chinese origin. [3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 1e505909bbd3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dell TG-3390
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
Open source URL -
[2]
SecureWorks BRONZE UNION June 2017
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
Open source URL -
[3]
Securelist LuckyMouse June 2018
Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
Open source URL -
[4]
Trend Micro DRBControl February 2020
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Open source URL -
[5]
APT27
(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021)
-
[6]
BRONZE UNION
(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Nccgroup Emissary Panda May 2018)
-
[7]
Earth Smilodon
(Citation: Trend Micro Iron Tiger April 2021)
-
[8]
Emissary Panda
(Citation: Gallagher 2015)(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)(Citation: Trend Micro Iron Tiger April 2021)
-
[9]
Gallagher 2015
Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016.
Open source URL -
[10]
Hacker News LuckyMouse June 2018
Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.
Open source URL -
[11]
Iron Tiger
(Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021)
-
[12]
Linen Typhoon
(Citation: Microsoft Naming Conventions Frequently Updated)
-
[13]
LuckyMouse
(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021)
-
[14]
Microsoft Naming Conventions Frequently Updated
Microsoft. (2025, September 8). How Microsoft names threat actors. Retrieved September 10, 2025.
Open source URL -
[15]
Nccgroup Emissary Panda May 2018
Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
Open source URL -
[16]
TG-3390
(Citation: Dell TG-3390)(Citation: Nccgroup Emissary Panda May 2018)(Citation: Hacker News LuckyMouse June 2018)
-
[17]
Threat Group-3390
(Citation: Dell TG-3390)(Citation: Hacker News LuckyMouse June 2018)
-
[18]
Trend Micro Iron Tiger April 2021
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
Open source URL -
[19]
Unit42 Emissary Panda May 2019
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
Open source URL -
[20]
mitre-attack G0027Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.