Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0066: Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]

EnterpriseG0066GroupObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Elderwood matters as an espionage-oriented intrusion set historically associated in ATT&CK with Operation Aurora and targeting defense organizations, supply chain manufacturers, human rights/NGO organizations, and IT service providers. For leaders, the practical issue is not only a named group, but the pattern: targeted initial access through phishing links/attachments and drive-by compromise, followed by client-side exploitation, tool transfer, obfuscation, and Windows backdoor/RAT malware in the related software set.

Executive priority

Prioritize this as a readiness benchmark for targeted intrusion risk against sensitive business relationships, intellectual property, regulated evidence, and third-party service dependencies. Executives should ask whether high-risk users and externally exposed browsing/email paths have tested controls for spearphishing, malicious files/links, drive-by compromise, client application exploitation, ingress tool transfer, and backdoor detection. Because ATT&CK provides no official detection text for this group, coverage should be proven through local telemetry validation and incident-response exercises rather than assumed from the group name.

Technical view

ATT&CK relationships connect Elderwood to initial-access and execution behaviors including Spearphishing Attachment, Spearphishing Link, Drive-by Compromise, Malicious Link, Malicious File, and Exploitation for Client Execution. Follow-on behaviors include Ingress Tool Transfer and obfuscation through Software Packing and Encrypted/Encoded File. Related software includes PoisonIvy, Hydraq, Briba, Naid, Wiarp, Vasport, Pasam, Nerex, and Linfo; the software relationships identify Windows for those tools, while the group object itself does not specify platforms. SOC and IR teams should validate end-to-end visibility from email/web entry points through endpoint process, file, memory, and network activity associated with backdoor establishment and tool download behavior.

Likely telemetry

  • Email security logs for targeted messages, attachments, URLs, sender metadata, and user click/open events
  • Web proxy, DNS, and secure web gateway logs for drive-by or malicious-link navigation and file downloads
  • Endpoint detection telemetry for file creation, process execution, parent-child process chains, script/application launches, and suspicious client-application behavior
  • Malware prevention or sandbox results for packed, encrypted, or encoded executable/content artifacts
  • Network connection logs for outbound command-and-control-like sessions and external tool transfer activity

Detection direction

  • Do not rely on a single Elderwood signature; ATT&CK supplies no official detection guidance for this group and several related tools are described as used by many groups or by other actors in later campaigns.
  • Correlate email or web delivery events with endpoint execution, client exploitation symptoms, new file writes, and outbound network activity to reduce false positives from normal browsing and legitimate downloads.
  • Tune analytics for packed or encoded files carefully; compression, installers, and protected commercial software can be benign, so detections should use behavioral context and reputation where available.
  • Validate whether phishing-link and attachment controls produce usable SOC evidence, not just blocking decisions, especially for high-risk roles and organizations matching the cited target categories.
  • Hunt for ingress tool transfer after a suspected initial access event, including externally sourced downloads followed by execution or backdoor-like network behavior.

Mitigation priorities

  • Start with exposure reduction for the initial-access paths: hardened email filtering, URL inspection, attachment analysis, and user-reporting workflows for targeted phishing.
  • Maintain aggressive patch and configuration management for browsers, document readers, office software, and other client applications implicated by client-side exploitation.
  • Restrict and monitor execution of downloaded files, attachments, and scripts through application control, least privilege, and endpoint protection where feasible.
  • Improve egress monitoring and control so unusual outbound connections and tool transfers from user workstations are visible and triageable.
  • Prepare IR playbooks for suspected backdoor/RAT compromise, including host isolation, credential review, malware collection, and scoping across similarly targeted users or business units.
Analyst notes and limits

The supplied ATT&CK object identifies Elderwood aliases, suspected Chinese espionage reporting, cited historical targeting, and relationships to specific software and techniques. The strongest defensive value comes from using those relationships as a control-validation checklist for targeted intrusion readiness across email, web, endpoint, and network telemetry.

Official detection is not provided, group-level platforms and tactics are not specified, and the source material is historical. Related software platforms are Windows, but the associated techniques include broader platforms; local asset data is required to decide actual coverage. This summary does not assert current activity, confirmed attribution, customer exposure, or guaranteed detection.

Official MITRE ATT&CK definition

Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Elderwood has encrypted documents and malicious executables.CitationSymantec Elderwood Sept 2012
Enterprise T1204.002 Malicious File Sub-technique

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.CitationSymantec Elderwood Sept 2012CitationCSM Elderwood Sept 2012
Enterprise T1566.002 Spearphishing Link Sub-technique

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.CitationSymantec Elderwood Sept 2012CitationCSM Elderwood Sept 2012
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.CitationSymantec Elderwood Sept 2012CitationCSM Elderwood Sept 2012
Enterprise T1204.001 Malicious Link Sub-technique

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.CitationSymantec Elderwood Sept 2012CitationCSM Elderwood Sept 2012
Enterprise T1189 Drive-by Compromise

Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.CitationSymantec Elderwood Sept 2012CitationCSM Elderwood Sept 2012CitationSecurity Affairs Elderwood Sept 2012
Enterprise T1203 Exploitation for Client Execution

Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.CitationSymantec Elderwood Sept 2012
Enterprise T1105 Ingress Tool Transfer

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.CitationSymantec Ristol May 2012
Enterprise T1027.002 Software Packing Sub-technique

Elderwood has packed malware payloads before delivery to victims.CitationSymantec Elderwood Sept 2012
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

uses · Malware S0012: PoisonIvy Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Malware S0205: Naid Enterprise uses · Technique T1566.002: Spearphishing Link Enterprise uses · Malware S0204: Briba Enterprise uses · Malware S0203: Hydraq Enterprise uses · Malware S0211: Linfo Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Malware S0210: Nerex Enterprise uses · Malware S0207: Vasport Enterprise uses · Technique T1204.001: Malicious Link Enterprise uses · Technique T1189: Drive-by Compromise Enterprise uses · Malware S0206: Wiarp Enterprise uses · Technique T1203: Exploitation for Client Execution Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Malware S0208: Pasam Enterprise uses · Technique T1027.002: Software Packing Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
c29c0eb3d8a92de3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle c29c0eb3d8a9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Security Affairs Elderwood Sept 2012

    Paganini, P. (2012, September 9). Elderwood project, who is behind Op. Aurora and ongoing attacks?. Retrieved February 13, 2018.

    Open source URL
  2. [2]
    Symantec Elderwood Sept 2012

    O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.

    Open source URL
  3. [3]
    CSM Elderwood Sept 2012

    Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.

    Open source URL
  4. [4]
    Beijing Group

    (Citation: CSM Elderwood Sept 2012)

  5. [5]
    Elderwood

    (Citation: Security Affairs Elderwood Sept 2012) (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)

  6. [6]
    Elderwood Gang

    (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)

  7. [7]
    Sneaky Panda

    (Citation: CSM Elderwood Sept 2012)

  8. [8]
    mitre-attack G0066
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use