G0136: IndigoZebra
IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.[1][2][3]
Analyst context for executives and security teams
IndigoZebra matters as a planning reference for targeted espionage-style activity against government entities in Central Asia, with ATT&CK relationships showing reliance on spearphishing attachments, malicious files, acquired infrastructure, and Windows backdoors/RAT tooling such as BoxCaon, xCaon, and PoisonIvy. For leaders, the decision value is not broad panic; it is validating whether email security, endpoint visibility, and network monitoring can handle targeted file-based intrusion attempts and follow-on tool transfer.
Executive priority
Prioritize this object when the organization has government, diplomatic, regional, or partner exposure related to Central Asia, or when executives need evidence that targeted phishing and malware response controls are operational. Key governance questions: Are high-risk users protected and rehearsed for suspicious attachments? Can the SOC prove visibility from email delivery through endpoint execution and outbound command-and-control-like traffic? Does incident response have a playbook for suspected espionage intrusion where dwell time and data sensitivity matter?
Technical view
ATT&CK does not provide a detection section for IndigoZebra, so coverage should be validated through the related techniques and software. Test the defensive chain around T1566.001 Spearphishing Attachment leading to T1204.002 Malicious File execution, with attention to Windows endpoints because the related BoxCaon, xCaon, and PoisonIvy software entries are Windows-associated. Also validate monitoring for T1105 Ingress Tool Transfer and resource-development context such as domains, web services, compromised email accounts, and obtained tools. Detection engineering should correlate email attachment events, user execution, new or unusual files, process activity, and outbound web/DNS/proxy activity rather than relying on a single indicator.
Likely telemetry
- Email security logs for inbound messages, senders, attachments, attachment detonation results, and user delivery/click/open events
- Endpoint telemetry for file creation, process execution, script or document-spawned child processes, and suspicious binaries on Windows systems
- Network telemetry including DNS, proxy, firewall, and HTTP/S metadata for newly observed or unusual external domains and web services
- EDR or host logs showing downloads or transfers of additional tools after initial compromise
- Threat intelligence and case-management records mapping observed infrastructure, malware names, or indicators to ATT&CK relationships where locally validated
Detection direction
- Build detections around behavior chains: targeted email attachment delivery, user-opened malicious file, endpoint execution, and subsequent external transfer activity.
- Tune for false positives from legitimate attachments, software downloads, and administrative tool movement by adding user role, sender reputation, attachment type, destination novelty, and endpoint context.
- Review blind spots in personal webmail, cloud mailboxes, unmanaged endpoints, encrypted web traffic metadata, and locations where attachment detonation or EDR coverage is absent.
- Because official detection is not provided, treat any IndigoZebra-specific detections as locally derived from the related techniques, software reporting, and validated indicators rather than as guaranteed ATT&CK coverage.
Mitigation priorities
- Harden email attachment controls first: filtering, sandboxing where available, user reporting workflows, and focused awareness for high-risk roles.
- Reduce endpoint execution risk with least privilege, application control where feasible, and monitoring of document- or attachment-driven execution paths.
- Improve outbound control and visibility for DNS, proxy, and web connections so potential command-and-control or tool-transfer behavior can be investigated quickly.
- Maintain IR playbooks for suspected targeted phishing that include mailbox review, endpoint containment, credential review, and scoping of related network activity.
- Use threat intelligence operationally but conservatively: enrich alerts with the named software and techniques, while requiring local telemetry before making attribution or exposure claims.
Analyst notes and limits
The supplied ATT&CK object identifies IndigoZebra as a suspected Chinese cyber espionage group targeting Central Asian governments since at least 2014, and relationships connect it to phishing, malicious file execution, resource development, tool transfer, and Windows malware/RAT families. The most defensible Glexia use is to assess readiness against the observed behavior pattern, not to infer current activity or universal risk.
Platforms and tactics are not specified on the group object itself, and no official ATT&CK detection guidance is provided. Platform references come from related software and techniques only. Local exposure, indicators, targeting relevance, and detection effectiveness must be confirmed from the organization’s own telemetry and intelligence sources.
IndigoZebra
IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1583.001 | Domains Sub-technique | IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1588.002 | Tool Sub-technique | IndigoZebra has acquired open source tools such as NBTscan and Meterpreter for their operations.CitationCheckpoint IndigoZebra July 2021CitationSecurelist APT Trends Q2 2017 |
| Enterprise | T1583.006 | Web Services Sub-technique | IndigoZebra created Dropbox accounts for their operations.CitationHackerNews IndigoZebra July 2021CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1586.002 | Email Accounts Sub-technique | IndigoZebra has compromised legitimate email accounts to use in their spearphishing operations.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | IndigoZebra sent spearphishing emails containing malicious password-protected RAR attachments.CitationHackerNews IndigoZebra July 2021CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | IndigoZebra sent spearphishing emails containing malicious attachments that urged recipients to review modifications in the file which would trigger the attack.CitationHackerNews IndigoZebra July 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | IndigoZebra has downloaded additional files and tools from its C2 server.CitationCheckpoint IndigoZebra July 2021 |
Groups, software, and campaigns
S0653: xCaon
S0651: BoxCaon
BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[1]
S0012: PoisonIvy
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5c5a342ca13e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
HackerNews IndigoZebra July 2021
Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.
Open source URL -
[2]
Checkpoint IndigoZebra July 2021
CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
Open source URL -
[3]
Securelist APT Trends Q2 2017
Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.
Open source URL -
[4]
IndigoZebra
(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)
-
[5]
mitre-attack G0136Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.