G0098: BlackTech
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]
Analyst context for executives and security teams
BlackTech matters because ATT&CK describes it as a long-running suspected cyber espionage group using a mix of custom malware, dual-use tools, and living-off-the-land behavior against organizations in East Asia, particularly Taiwan, Japan, and Hong Kong, and the US. For executives, the decision value is not the name alone: it is whether the organization can withstand targeted initial access through phishing or public-facing applications, recognize legitimate admin-tool abuse such as PsExec, and investigate custom Windows malware/RAT activity without relying only on commodity indicators.
Executive priority
Prioritize BlackTech as a threat-informed validation scenario if the business operates in or depends on East Asia, the US, or sectors named in the ATT&CK description: media, construction, engineering, electronics, finance, and, from related software context, defense, communications, and Japanese targets. Leaders should ask whether email security, public-facing application exposure management, endpoint visibility, certificate trust controls, and lateral movement monitoring produce audit-ready evidence. The business risk is espionage-oriented compromise that may remain operationally quiet while affecting confidentiality, partner trust, incident response cost, and resilience of critical business networks.
Technical view
ATT&CK provides no official detection text for the group, so SOC and IR teams should build coverage from the relationship context. Validate controls and telemetry around initial access via Spearphishing Attachment, Spearphishing Link, and Exploit Public-Facing Application; execution through Malicious File, Malicious Link, Exploitation for Client Execution, Native API, and DLL abuse; discovery via Network Service Discovery; lateral movement via SSH and PsExec; and resource-development indicators involving tools, code-signing certificates, and digital certificates. Related Windows malware/software includes PLEAD, TSCookie, Kivars, Waterbear, Flagpro, and PsExec. Treat PsExec and SSH carefully because they are legitimate administrative mechanisms as well as adversary tradecraft.
Likely telemetry
- Email gateway and collaboration-suite logs for targeted attachments, links, sender patterns, and user click/open events
- Endpoint process, module/DLL load, file creation, script, and command-line telemetry on Windows, Linux, and macOS where related techniques apply
- Windows service creation, remote execution, and administrative share activity relevant to PsExec-like behavior
- SSH authentication, session, source/destination, and command/audit logs for Linux, macOS, and ESXi environments where SSH is enabled
- Network flow, DNS, proxy, TLS certificate, and egress telemetry to support investigation of RAT/downloaders and hidden or unusual network behavior
Detection direction
- Map detections to the specific ATT&CK relationships rather than to the group name alone; the supplied object has no official detection guidance.
- Tune for combinations: phishing delivery followed by user execution, unusual child processes, DLL abuse, downloader/RAT behavior, network discovery, and remote movement.
- Baseline legitimate PsExec and SSH administration so alerts can focus on unusual source hosts, destinations, timing, accounts, or service creation patterns.
- Review blind spots around signed binaries and trusted certificates, because the relationship context includes code-signing certificates and digital certificates as adversary resources.
- For public-facing applications, correlate exploit attempts with subsequent process creation, outbound connections, credential use, or lateral movement.
Mitigation priorities
- Start with exposure reduction: inventory and patch Internet-facing applications, restrict unnecessary exposed services, and validate logging on externally reachable systems.
- Harden email and user-execution paths with attachment/link inspection, safe handling of risky file types, and user reporting workflows, while measuring whether events reach the SOC.
- Constrain lateral movement by limiting administrative tool use, controlling PsExec-like remote execution, hardening SSH access, enforcing least privilege, and segmenting critical systems.
- Strengthen endpoint controls for DLL abuse, suspicious downloader/RAT execution, and unusual process/module activity, especially on Windows systems referenced by related software.
- Implement certificate governance: monitor trusted code-signing usage and certificate anomalies, and avoid assuming signed or TLS-protected activity is benign.
Analyst notes and limits
This take is derived from the supplied ATT&CK group object, external references, and stated relationships. The strongest defensive value is using BlackTech as a threat-informed scenario for espionage-style intrusions that blend custom malware with legitimate tools and living-off-the-land behavior. Local relevance depends on geography, sector, exposed services, identity architecture, and telemetry maturity.
The ATT&CK group object lists no platforms or tactics directly and provides no official detection section. Platform and tactic guidance here is inferred only from supplied related techniques and software. The references support historical reporting and aliases, but this output does not claim current activity, customer exposure, or guaranteed detection coverage.
BlackTech
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | BlackTech has used e-mails with malicious links to lure victims into installing malware.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1588.003 | Code Signing Certificates Sub-technique | BlackTech has used stolen code-signing certificates for its malicious payloads.CitationSymantec Palmerworm Sep 2020 |
| Enterprise | T1046 | Network Service Discovery | BlackTech has used the SNScan tool to find other potential targets on victim networks.CitationSymantec Palmerworm Sep 2020 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1190 | Exploit Public-Facing Application | BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1021.004 | SSH Sub-technique | BlackTech has used Putty for remote access.CitationSymantec Palmerworm Sep 2020 |
| Enterprise | T1106 | Native API | BlackTech has used built-in API functions.CitationIronNet BlackTech Oct 2021 |
| Enterprise | T1203 | Exploitation for Client Execution | BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.CitationTrendMicro BlackTech June 2017CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1036.002 | Right-to-Left Override Sub-technique | BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1574.001 | DLL Sub-technique | BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.CitationTrend Micro Waterbear December 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | BlackTech has used e-mails with malicious documents to lure victims into installing malware.CitationTrendMicro BlackTech June 2017CitationNTT Security Flagpro new December 2021 |
| Enterprise | T1588.004 | Digital Certificates Sub-technique | BlackTech has used valid, stolen digital certificates for some of their malware and tools.CitationESET PLEAD Malware July 2018 |
Groups, software, and campaigns
S0435: PLEAD
PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[1][2] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.[3][2]
S0437: Kivars
S0029: PsExec
S0436: TSCookie
S0696: Flagpro
S0579: Waterbear
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 18585c51b455… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro BlackTech June 2017
Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
Open source URL -
[2]
Symantec Palmerworm Sep 2020
Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
Open source URL -
[3]
Reuters Taiwan BlackTech August 2020
Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022.
Open source URL -
[4]
IronNet BlackTech Oct 2021
Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022.
Open source URL -
[5]
Palmerworm
(Citation: Symantec Palmerworm Sep 2020)(Citation: IronNet BlackTech Oct 2021)
-
[6]
mitre-attack G0098Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.