G0114: Chimera
Analyst context for executives and security teams
Chimera is an ATT&CK group entry for a suspected China-based threat group reported as active since at least 2018, with targeting described against Taiwan’s semiconductor industry and airline-industry data. The decision value for defenders is not a single indicator list; it is the pattern of related behaviors: credential access against Active Directory, discovery, lateral movement over common Windows administration paths, collection from network shares, and exfiltration over an existing command-and-control channel.
Executive priority
Treat this as a resilience and crown-jewel protection scenario for environments where intellectual property, manufacturing know-how, airline data, or sensitive shared-drive content are material. Leaders should ask whether privileged identity monitoring, domain controller protection, remote administration governance, network share access review, and exfiltration visibility are evidenced in practice, not just documented as policy.
Technical view
MITRE provides no official detection text and no group-level platform list for Chimera. However, the supplied relationships point to Windows and Active Directory-heavy tradecraft: Mimikatz, NTDS access, BloodHound, PsExec, Net, WMI, RDP, SMB/admin shares, WinRM, scheduled tasks, discovery commands, command obfuscation, shared-drive collection, and exfiltration over C2. SOC and IR teams should validate detection coverage across identity, endpoint, domain controller, remote service, and network telemetry, with special attention to legitimate administration tools that can be abused.
Likely telemetry
- Domain controller security events and monitoring for access or copying of NTDS.dit and related credential material
- Endpoint process creation and command-line logs for tools and utilities such as Mimikatz, PsExec, Net, esentutl, WMI, schtasks, and discovery commands
- Windows remote access logs for RDP, SMB/admin shares, and WinRM activity
- Active Directory object, group, session, and relationship queries that may align with BloodHound-style reconnaissance
- Network share access logs and file access auditing for sensitive repositories
Detection direction
- Do not rely on tool-name matching alone; several related behaviors use legitimate administration utilities and protocols that require context, baselining, and privilege-aware analytics.
- Correlate credential access signals with subsequent remote service use, lateral movement, scheduled task creation, network share access, and unusual egress.
- Prioritize domain controllers, administrator workstations, file servers, and systems with access to sensitive industry data for higher-fidelity logging and alert review.
- Tune for abnormal use of PsExec, WMI, WinRM, RDP, SMB/admin shares, Net, and esentutl by account, host, time, and peer system rather than treating every administrative use as malicious.
- Account for command obfuscation and legitimate-looking resource names or locations, which can reduce the value of simple string signatures.
Mitigation priorities
- Harden and monitor Active Directory and domain controllers first, including privileged account use, credential dumping resistance, and access to NTDS-related data.
- Restrict and govern remote administration channels such as RDP, SMB/admin shares, WinRM, WMI, and PsExec-style execution to authorized admins, systems, and management paths.
- Review permissions on sensitive network shares and reduce broad access to business-critical data repositories.
- Improve endpoint and identity telemetry coverage before relying on detections for dual-use tools and built-in utilities.
- Segment high-value engineering, manufacturing, identity, and file-server environments where business impact would be high.
Analyst notes and limits
The ATT&CK object identifies Chimera as a suspected China-based group and cites public reporting from Cycraft and NCC Group. Relationship context supplies the main defensive value: the group is linked to credential dumping, AD reconnaissance, discovery, lateral movement, collection, and exfiltration behaviors. This take intentionally avoids asserting current activity, customer exposure, or guaranteed detection coverage.
Group-level platforms, tactics, labels, and official detection guidance are not specified in the supplied object. Some related techniques list non-Windows platforms, but the most concrete relationship context here is Windows and Active Directory-oriented. Local environment architecture, logging maturity, and business data locations are necessary to determine actual risk and coverage.
Chimera
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1574.001 | DLL Sub-technique | Chimera has used side loading to place malicious DLLs in memory.CitationNCC Group Chimera January 2021 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | Chimera has staged stolen data on designated servers in the target environment.CitationNCC Group Chimera January 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Chimera has used Cobalt Strike C2 beacons for data exfiltration.CitationNCC Group Chimera January 2021 |
| Enterprise | T1078 | Valid Accounts | Chimera has used a valid account to maintain persistence via scheduled task.CitationCycraft Chimera April 2020 |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | Chimera has dumped password hashes for use in pass the hash authentication attacks.CitationNCC Group Chimera January 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Chimera has used HTTPS for C2 communications.CitationNCC Group Chimera January 2021 |
| Enterprise | T1106 | Native API | Chimera has used direct Windows system calls by leveraging Dumpert.CitationCycraft Chimera April 2020 |
| Enterprise | T1556.001 | Domain Controller Authentication Sub-technique | |
| Enterprise | T1071.004 | DNS Sub-technique | Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.CitationNCC Group Chimera January 2021 |
| Enterprise | T1482 | Domain Trust Discovery | Chimera has |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.CitationCycraft Chimera April 2020CitationNCC Group Chimera January 2021 |
| Enterprise | T1021.006 | Windows Remote Management Sub-technique | Chimera has used WinRM for lateral movement.CitationNCC Group Chimera January 2021 |
| Enterprise | T1083 | File and Directory Discovery | Chimera has utilized multiple commands to identify data of interest in file and directory listings.CitationNCC Group Chimera January 2021 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Chimera has has used |
| Enterprise | T1057 | Process Discovery | Chimera has used |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Chimera has used Windows admin shares to move laterally.CitationCycraft Chimera April 2020CitationNCC Group Chimera January 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.CitationCycraft Chimera April 2020CitationNCC Group Chimera January 2021 |
| Enterprise | T1003.003 | NTDS Sub-technique | Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.CitationCycraft Chimera April 2020 Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Chimera has staged stolen data locally on compromised hosts.CitationNCC Group Chimera January 2021 |
| Enterprise | T1213.002 | Sharepoint Sub-technique | Chimera has collected documents from the victim's SharePoint.CitationNCC Group Chimera January 2021 |
| Enterprise | T1135 | Network Share Discovery | Chimera has used |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.CitationCycraft Chimera April 2020 |
| Enterprise | T1570 | Lateral Tool Transfer | Chimera has copied tools between compromised hosts using SMB.CitationNCC Group Chimera January 2021 |
| Enterprise | T1007 | System Service Discovery | Chimera has used |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Chimera has encoded PowerShell commands.CitationCycraft Chimera April 2020 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Chimera has cleared event logs on compromised hosts.CitationNCC Group Chimera January 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1046 | Network Service Discovery | Chimera has used the |
| Enterprise | T1033 | System Owner/User Discovery | Chimera has used the |
| Enterprise | T1087.001 | Local Account Sub-technique | Chimera has used |
| Enterprise | T1572 | Protocol Tunneling | Chimera has encapsulated Cobalt Strike's C2 protocol in DNS and HTTPS.CitationNCC Group Chimera January 2021 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Chimera has used compromised domain accounts to gain access to the target environment.CitationNCC Group Chimera January 2021 |
| Enterprise | T1069.001 | Local Groups Sub-technique | Chimera has used |
| Enterprise | T1124 | System Time Discovery | Chimera has used |
| Enterprise | T1201 | Password Policy Discovery | Chimera has used the NtdsAudit utility to collect information related to accounts and passwords.CitationNCC Group Chimera January 2021 |
| Enterprise | T1049 | System Network Connections Discovery | Chimera has used |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.CitationNCC Group Chimera January 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Chimera has performed file deletion to evade detection.CitationCycraft Chimera April 2020 |
| Enterprise | T1110.003 | Password Spraying Sub-technique | Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.CitationNCC Group Chimera January 2021 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Chimera has harvested data from victim's e-mail including through execution of |
| Enterprise | T1039 | Data from Network Shared Drive | Chimera has collected data of interest from network shares.CitationNCC Group Chimera January 2021 |
| Enterprise | T1119 | Automated Collection | Chimera has used custom DLLs for continuous retrieval of data from memory.CitationNCC Group Chimera January 2021 |
| Enterprise | T1133 | External Remote Services | Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.CitationCycraft Chimera April 2020CitationNCC Group Chimera January 2021 |
| Enterprise | T1110.004 | Credential Stuffing Sub-technique | Chimera has used credential stuffing against victim's remote services to obtain valid accounts.CitationNCC Group Chimera January 2021 |
| Enterprise | T1680 | Local Storage Discovery | Chimera has used `fsutil fsinfo drives`, `systeminfo`, and `vssadmin list shadows` for system information including shadow volumes and drive information.CitationNCC Group Chimera January 2021 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | Chimera has harvested data from remote mailboxes including through execution of |
| Enterprise | T1012 | Query Registry | Chimera has queried Registry keys using |
| Enterprise | T1588.002 | Tool Sub-technique | Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.CitationCycraft Chimera April 2020CitationNCC Group Chimera January 2021 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Chimera has exfiltrated stolen data to OneDrive accounts.CitationNCC Group Chimera January 2021 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Chimera has used a Windows version of the Linux |
| Enterprise | T1018 | Remote System Discovery | Chimera has utilized various scans and queries to find domain controllers and remote services in the target environment.CitationNCC Group Chimera January 2021 |
| Enterprise | T1589.001 | Credentials Sub-technique | Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.CitationNCC Group Chimera January 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | Chimera has used WMIC to execute remote commands.CitationCycraft Chimera April 2020CitationNCC Group Chimera January 2021 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Chimera has used RDP to access targeted systems.CitationCycraft Chimera April 2020 |
| Enterprise | T1111 | Multi-Factor Authentication Interception | Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.CitationNCC Group Chimera January 2021 |
| Enterprise | T1217 | Browser Information Discovery | Chimera has used |
| Enterprise | T1105 | Ingress Tool Transfer | Chimera has remotely copied tools and malware onto targeted systems.CitationCycraft Chimera April 2020 |
Groups, software, and campaigns
S0029: PsExec
S0521: BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]
S0404: esentutl
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0002: Mimikatz
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | eb158edec1e6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cycraft Chimera April 2020
Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
Open source URL -
[2]
NCC Group Chimera January 2021
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
Open source URL -
[3]
Chimera
(Citation: NCC Group Chimera January 2021)
-
[4]
mitre-attack G0114Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.