G1023: APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
Analyst context for executives and security teams
APT5 matters because ATT&CK describes it as a long-running China-based espionage group focused on telecommunications, aerospace, and defense, with particular interest in networking devices, underlying software, and zero-day exploitation. For leaders, the practical issue is not just malware names: it is whether internet-facing access infrastructure, VPNs, domain credentials, and remote administration paths are observable and recoverable during an espionage-driven intrusion.
Executive priority
Prioritize APT5-informed readiness where business depends on sensitive engineering, defense, telecom, or externally reachable access infrastructure. Executives should ask whether the organization can prove timely vulnerability management for network devices, detect credential theft and remote access abuse, and preserve logs from VPN/network appliances for incident response and audit evidence. The relationship to SPACEHOP Activity also makes leased VPS/ORB-style infrastructure a relevant threat-intelligence and perimeter-monitoring concern, without assuming any specific local exposure.
Technical view
ATT&CK provides no official detection text for APT5, so validation should be built from the related techniques, software, and campaign context. Key defensive checks include coverage for credential access on Windows such as LSASS Memory and SAM extraction, domain-controller risks associated with Skeleton Key-style behavior, RAT activity such as PoisonIvy, gh0st RAT, and PcShare, and abuse of legitimate utilities including Net, Tasklist, and netstat. Network-device and VPN-focused hunting is especially important because related APT5 software includes SLOWPULSE, PULSECHECK, PACEMAKER, SLIGHTPULSE, and RAPIDPULSE, several of which are described around Pulse Secure VPNs, credential logging/stealing, authentication bypass flows, and web shells.
Likely telemetry
- VPN and network-device authentication logs, administrative access logs, configuration change records, and file integrity evidence where available
- Web shell indicators on network devices or Linux-based appliances, including unexpected script files or modified legitimate files
- Windows endpoint and server telemetry for LSASS access, SAM access, process injection, suspicious credential dumping tools, and unusual child processes
- Domain controller security logs and authentication events relevant to credential abuse or backdoor credential behavior
- RDP and SSH logon records, including source IPs, account context, session timing, and lateral movement patterns
Detection direction
- Do not rely on a single APT5 signature; map coverage to the related ATT&CK techniques and software actually present in the environment.
- Validate whether security monitoring includes network devices and VPN appliances, since these are common blind spots compared with managed Windows endpoints.
- Tune credential-access detections for high-risk systems, especially domain controllers, VPN infrastructure, administrative workstations, and servers that can expose reusable credentials.
- Correlate discovery commands, process enumeration, network connection discovery, and remote access logons with account privilege, asset criticality, and source network context to reduce false positives from legitimate administration.
- Use the SPACEHOP Activity relationship to enrich perimeter analytics with suspicious VPS/relay infrastructure patterns, while treating infrastructure reputation as supporting context rather than standalone proof.
Mitigation priorities
- Start with inventory and vulnerability management for internet-facing networking devices, VPNs, and remote access services, including evidence that patches and mitigations are applied and verified.
- Harden identity paths by limiting administrative credential exposure, reducing unnecessary privileged sessions, protecting credential material, and monitoring high-value accounts.
- Restrict and monitor RDP and SSH access, especially between internal segments and to critical systems, using least privilege and strong authentication where applicable.
- Improve resilience of domain controllers and VPN infrastructure through logging, configuration baselines, file integrity checks where feasible, and tested recovery procedures.
- Prepare IR playbooks for suspected network-device compromise and credential theft, including credential rotation, appliance forensic collection, and validation of persistence mechanisms such as web shells or scheduled tasks.
Analyst notes and limits
This take is based on ATT&CK G1023 version 1.1 in enterprise-attack, its official description, external references, and supplied relationships. The group object itself lists no platforms or tactics and provides no official detection guidance, so platform-specific comments are derived only from related software and technique relationships. Local asset exposure, logging maturity, and control effectiveness must be validated before drawing conclusions about risk or coverage.
ATT&CK relationships provide behavior context but do not prove that every listed technique or tool will appear in every APT5 intrusion. The supplied SPACEHOP campaign description is truncated, and no customer-specific telemetry, exploit details, or active exploitation status is provided. This assessment should therefore guide defensive validation rather than serve as evidence of compromise.
APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | APT5 has used PowerShell to accomplish tasks within targeted environments.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1136.001 | Local Account Sub-technique | APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1070.006 | Timestomp Sub-technique | APT5 has modified file timestamps.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | APT5 has moved laterally throughout victim environments using RDP.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1654 | Log Enumeration | APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1685 | Disable or Modify Tools | APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1583.005 | Botnet Sub-technique | APT5 has acquired a network of compromised systems – specifically an ORB (operational relay box) network – for follow on activities.CitationORB Mandiant |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | APT5 has staged data on compromised systems prior to exfiltration often in `C:\Users\Public`.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1554 | Compromise Host Software Binary | APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.CitationMandiant Pulse Secure Zero-Day April 2021CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1056.001 | Keylogging Sub-technique | APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.CitationFireEye Southeast Asia Threat Landscape March 2015CitationMandiant Advanced Persistent Threats |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | APT5 has accessed Microsoft M365 cloud environments using stolen credentials. CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | APT5 has used the JAR/ZIP file format for exfiltrated files.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | APT5 has copied and exfiltrated the SAM Registry hive from targeted systems.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT5 has deleted scripts and web shells to evade detection.CitationMandiant Pulse Secure Zero-Day April 2021CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1057 | Process Discovery | APT5 has used Windows-based utilities to carry out tasks including tasklist.exe. CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1070 | Indicator Removal | APT5 has used the THINBLOOD utility to clear SSL VPN log files located at `/home/runtime/logs`.CitationMandiant Pulse Secure Zero-Day April 2021CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1053.003 | Cron Sub-technique | APT5 has made modifications to the crontab file including in `/var/cron/tabs/`.CitationNSA APT5 Citrix Threat Hunting December 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | APT5 has used cmd.exe for execution on compromised systems.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1021.004 | SSH Sub-technique | APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1055 | Process Injection | APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances.CitationMandiant Pulse Secure Zero-Day April 2021CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1049 | System Network Connections Discovery | APT5 has used the BLOODMINE utility to collect data on web requests from Pulse Secure Connect logs.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | APT5 has used legitimate account credentials to move laterally through compromised environments.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a `KB |
| Enterprise | T1070.003 | Clear Command History Sub-technique | APT5 has cleared the command history on targeted ESXi servers.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1083 | File and Directory Discovery | APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.CitationMandiant Pulse Secure Update May 2021 |
| Enterprise | T1190 | Exploit Public-Facing Application | APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers.CitationMandiant Pulse Secure Zero-Day April 2021CitationMandiant Pulse Secure Update May 2021CitationNSA APT5 Citrix Threat Hunting December 2022 CitationMicrosoft East Asia Threats September 2023 |
Groups, software, and campaigns
S0057: Tasklist
S0012: PoisonIvy
S1113: RAPIDPULSE
RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by APT5 since at least 2021.[1]
S1050: PcShare
S0002: Mimikatz
S1104: SLOWPULSE
S1110: SLIGHTPULSE
SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.[1]
S0007: Skeleton Key
Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. [1] Functionality similar to Skeleton Key is included as a module in Mimikatz.
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S1109: PACEMAKER
S0032: gh0st RAT
S1108: PULSECHECK
PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.[1]
C0052: SPACEHOP Activity
SPACEHOP Activity is conducted through commercially leased Virtual Private Servers (VPS), otherwise known as provisioned Operational Relay Box (ORB) networks. The network leveraged for SPACEHOP Activity enabled China-nexus cyber threat actors – such as APT5 and Ke3chang – to perform network reconnaissance scanning and vulnerability exploitation. SPACEHOP Activity has historically targeted entities in North America, Europe, and the Middle East.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b7a2b39aeb7d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NSA APT5 Citrix Threat Hunting December 2022
National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024.
Open source URL -
[2]
Microsoft East Asia Threats September 2023
Microsoft Threat Intelligence. (2023, September). Digital threats from East Asia increase in breadth and effectiveness. Retrieved February 5, 2024.
Open source URL -
[3]
Mandiant Pulse Secure Zero-Day April 2021
Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
Open source URL -
[4]
Mandiant Pulse Secure Update May 2021
Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
Open source URL -
[5]
FireEye Southeast Asia Threat Landscape March 2015
FireEye. (2015, March). SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE. Retrieved February 5, 2024.
Open source URL -
[6]
Mandiant Advanced Persistent Threats
Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.
Open source URL -
[7]
BRONZE FLEETWOOD
(Citation: Secureworks BRONZE FLEETWOOD Profile)
-
[8]
Keyhole Panda
(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks BRONZE FLEETWOOD Profile)
-
[9]
MANGANESE
(Citation: Microsoft Threat Actor Naming July 2023)(Citation: NSA APT5 Citrix Threat Hunting December 2022)
-
[10]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[11]
Mulberry Typhoon
(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Microsoft East Asia Threats September 2023)
-
[12]
Secureworks BRONZE FLEETWOOD Profile
Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.
Open source URL -
[13]
UNC2630
(Citation: NSA APT5 Citrix Threat Hunting December 2022)
-
[14]
mitre-attack G1023Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.