Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0062: TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [1]

EnterpriseG0062GroupObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

TA459 is an ATT&CK group entry with limited official detail, but the relationships make the practical risk clear: the reported activity centers on targeted email attachment delivery, user-assisted execution, client-side exploitation, scripting, and remote access malware such as PlugX, gh0st RAT, NetTraveler, and ZeroT. For leaders, this is less about a single actor name and more about whether the organization can prevent, detect, and respond to targeted document-driven intrusion paths that can lead to remote access on endpoints.

Executive priority

Prioritize validation of controls around email-borne attachments, vulnerable client applications, endpoint scripting, and remote access malware detection. This object is useful for business risk discussions because it links initial access and execution behaviors to tools capable of remote access or surveillance. Executives should ask whether SOC, incident response, email security, endpoint, patching, and user-reporting processes produce defensible evidence for targeted phishing and client-exploitation scenarios.

Technical view

ATT&CK provides no official detection text for TA459, so defenders should pivot from the relationship context. Validate coverage for T1566.001 Spearphishing Attachment, T1204.002 Malicious File, T1203 Exploitation for Client Execution, T1059.001 PowerShell, and T1059.005 Visual Basic. The related software set includes PlugX, gh0st RAT, NetTraveler, and ZeroT, with related platform context primarily including Windows and some macOS/Linux applicability through techniques. SOC teams should test whether email, endpoint, script, process, file, and network telemetry can connect a suspicious attachment to script execution, client application exploitation, payload staging, and remote access behavior.

Likely telemetry

  • Email gateway and mailbox telemetry for attachments, sender metadata, delivery, quarantine, and user interaction
  • Endpoint process creation and command-line telemetry, especially for Office/client applications spawning scripting engines or unusual child processes
  • PowerShell logging and script block/module execution evidence where available
  • Visual Basic/VBScript or macro-related execution evidence where applicable
  • File creation, download, and execution events for document, archive, script, and executable attachments

Detection direction

  • Because ATT&CK provides no TA459-specific detection guidance, build detections around the related techniques and software rather than the group name alone.
  • Correlate spearphishing attachment delivery with endpoint execution chains, especially client applications launching PowerShell, Visual Basic-related interpreters, or unexpected binaries.
  • Tune for false positives from legitimate administration, automation, and business macros; require context such as email origin, file reputation, parent-child process lineage, and unusual network activity.
  • Validate that telemetry exists across the full chain: message delivery, user open action, process execution, script activity, payload write, and outbound communications.
  • Use the related malware names as threat-intelligence pivots, but avoid assuming a match to TA459 without corroborating evidence from multiple behaviors and sources.

Mitigation priorities

  • Reduce attachment risk through email filtering, attachment detonation or analysis, and user reporting workflows for suspicious messages.
  • Harden client applications and prioritize patching for software exposed to document-based exploitation, informed by the external reference to CVE-2017-0199-themed reporting.
  • Constrain and monitor PowerShell and Visual Basic execution, especially when launched from email-delivered files or document viewers.
  • Maintain endpoint protection and response coverage capable of investigating remote access malware families referenced by the ATT&CK relationships.
  • Exercise incident response playbooks for phishing-to-malware scenarios, including mailbox containment, endpoint isolation, credential review, and evidence preservation.
Analyst notes and limits

TA459 is described by ATT&CK as a group believed to operate out of China and reported to have targeted Russia, Belarus, Mongolia, and others, based on the supplied Proofpoint reference. The most decision-useful ATT&CK content here is the relationship set: spearphishing attachments, malicious files, client exploitation, PowerShell, Visual Basic, and several RAT/malware families. Treat this as a coverage-mapping object for targeted attachment intrusion readiness rather than as proof of current exposure or activity.

The supplied ATT&CK object has no official detection text, no object-level platforms or tactics, and limited description. Platform and tactic guidance above is derived only from the supplied related techniques and software. Local telemetry, control configuration, vulnerability exposure, and incident evidence are required before making any claims about detection coverage, compromise, targeting, or attribution.

Official MITRE ATT&CK definition

TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1566.001 Spearphishing Attachment Sub-technique

TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.CitationProofpoint TA459 April 2017
Enterprise T1203 Exploitation for Client Execution

TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.CitationProofpoint TA459 April 2017
Enterprise T1059.005 Visual Basic Sub-technique

TA459 has a VBScript for execution.CitationProofpoint TA459 April 2017
Enterprise T1204.002 Malicious File Sub-technique

TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.CitationProofpoint TA459 April 2017
Enterprise T1059.001 PowerShell Sub-technique

TA459 has used PowerShell for execution of a payload.CitationProofpoint TA459 April 2017
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0033: NetTraveler

NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. [1]

Windows
Relationship explorer

All related ATT&CK context

uses · Malware S0032: gh0st RAT Enterprise uses · Malware S0033: NetTraveler Enterprise uses · Malware S0013: PlugX Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1203: Exploitation for Client Execution Enterprise uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Malware S0230: ZeroT Enterprise uses · Technique T1059.001: PowerShell Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
a8ddac539f482def...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle a8ddac539f48…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Proofpoint TA459 April 2017

    Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.

    Open source URL
  2. [2]
    TA459

    (Citation: Proofpoint TA459 April 2017)

  3. [3]
    mitre-attack G0062
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use