Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0004: Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.[1][2][3][4]

EnterpriseG0004GroupObject v3.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Ke3chang is an ATT&CK group entry for a China-attributed threat group with reported targeting of oil, government, diplomatic, military, and NGO organizations across multiple regions since at least 2010. The practical risk is not one malware family; it is the pattern shown by the relationships: credential theft, Windows discovery, SMB/admin-share lateral movement, SharePoint enumeration/data dumping, remote access tooling, and automated exfiltration. For leaders, this makes Ke3chang useful as a scenario for testing whether identity, endpoint, domain controller, SharePoint, and egress monitoring can work together during a targeted intrusion.

Executive priority

Prioritize this as an identity and data-protection readiness use case, especially for organizations in or adjacent to the listed sectors or regions. The ATT&CK relationships point to behaviors that can turn one compromised Windows host into broader domain access and sensitive data collection. Executives should ask whether the organization can prove control coverage for credential dumping, Active Directory database access, SMB lateral movement, SharePoint data access, and suspicious outbound infrastructure such as leased VPS/ORB networks described in the SPACEHOP relationship.

Technical view

ATT&CK does not provide a detection section for this group, so teams should validate coverage from the related software and techniques. The strongest defensive thread is Windows-centric: Mimikatz; LSASS, SAM, NTDS, and LSA Secrets credential access; Net, Tasklist, Systeminfo, Ping, ipconfig, and netstat discovery; SMB/Windows Admin Shares; and malware/tools including MirageFox, Okrum, Neoichor, and spwebmember. Detection engineering should correlate sequences rather than rely only on single command names, because several related utilities are legitimate administration tools.

Likely telemetry

  • Endpoint process creation and command-line telemetry for Net, Tasklist, Systeminfo, Ping, ipconfig, netstat, and related discovery activity
  • Windows security and EDR telemetry for LSASS access, SAM/LSA secret access, and credential dumping tools such as Mimikatz
  • Domain controller monitoring for NTDS.dit access, copies, backups, or unusual administrative access patterns
  • SMB and Windows admin share activity, including remote file access and lateral movement indicators
  • SharePoint and web/application logs relevant to enumeration or data dumping activity associated with spwebmember-style behavior

Detection direction

  • Build detections around behavior chains: discovery commands followed by credential access, then SMB/admin-share movement, then collection or exfiltration.
  • Tune carefully for legitimate administration, since Net, Ping, ipconfig, netstat, Tasklist, and Systeminfo are common utilities; prioritize unusual users, hosts, timing, remote execution context, and clustering across multiple discovery commands.
  • Validate high-fidelity monitoring on domain controllers and privileged workstations for LSASS, SAM, LSA Secrets, and NTDS access rather than assuming endpoint coverage applies uniformly.
  • Use the SPACEHOP relationship as context for network analytics: leased VPS infrastructure alone is noisy, but it becomes higher priority when paired with scanning, vulnerability exploitation, remote access, or post-compromise activity.
  • Include SharePoint and collaboration-data monitoring in scope where applicable, because the related spwebmember tool indicates enumeration and data dumping risk outside traditional endpoint-only visibility.

Mitigation priorities

  • Start with identity hardening: reduce standing administrative privileges, protect privileged accounts, and monitor access to domain controllers and credential stores.
  • Harden and monitor Windows lateral movement paths, especially SMB and administrative shares, and ensure administrative activity is attributable to known users and systems.
  • Improve endpoint controls around credential dumping and suspicious access to LSASS, SAM, LSA Secrets, and NTDS-related material.
  • Inventory and monitor SharePoint or similar sensitive repositories where enumeration and bulk data access would create business impact.
  • Use vulnerability management and exposure reduction for internet-facing and remotely reachable systems, consistent with the SPACEHOP relationship describing reconnaissance scanning and vulnerability exploitation.
Analyst notes and limits

This group entry is most useful as a threat-informed validation package: it connects targeted-sector intelligence with concrete ATT&CK relationships defenders can test. The aliases are numerous, including APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL, and Nylon Typhoon, so threat intelligence teams should normalize naming before comparing reporting or detections.

The supplied group object has no official detection text, no group-level platforms, and no group-level tactics. Platform and tactic guidance here is derived only from the supplied related software and technique objects. Local telemetry, business context, asset exposure, and confirmed tool coverage are required before making claims about organizational exposure or detection maturity.

Official MITRE ATT&CK definition

Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.[1][2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

46 rows
Domain ID Name Relationship / procedure
Enterprise T1114.002 Remote Email Collection Sub-technique

Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.[2][4]
Enterprise T1105 Ingress Tool Transfer

Ke3chang has used tools to download files to compromised machines.[4]
Enterprise T1087.001 Local Account Sub-technique

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[1]
Enterprise T1033 System Owner/User Discovery

Ke3chang has used implants capable of collecting the signed-in username.[4]
Enterprise T1614.001 System Language Discovery Sub-technique

Ke3chang has used implants to collect the system language ID of a compromised machine.[4]
Enterprise T1087.002 Domain Account Sub-technique

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.[4]
Enterprise T1558.001 Golden Ticket Sub-technique

Ke3chang has used Mimikatz to generate Kerberos golden tickets.[2]
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.[1][2]
Enterprise T1041 Exfiltration Over C2 Channel

Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[1]
Enterprise T1119 Automated Collection

Ke3chang has performed frequent and scheduled data collection from victim networks.[4]
Enterprise T1083 File and Directory Discovery

Ke3chang uses command-line interaction to search files and directories.[1][4]
Enterprise T1133 External Remote Services

Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates.[2][4]
Enterprise T1018 Remote System Discovery

Ke3chang has used network scanning and enumeration tools, including Ping.[2]
Enterprise T1003.002 Security Account Manager Sub-technique

Ke3chang has dumped credentials, including by using gsecdump.[1][2]
Enterprise T1016 System Network Configuration Discovery

Ke3chang has performed local network configuration discovery using ipconfig.[1][2][4]
Enterprise T1588.002 Tool Sub-technique

Ke3chang has obtained and used tools such as Mimikatz.[2]
Enterprise T1020 Automated Exfiltration

Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.[4]
Enterprise T1007 System Service Discovery

Ke3chang performs service discovery using net start commands.[1]
Enterprise T1543.003 Windows Service Sub-technique

Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.[2]
Enterprise T1190 Exploit Public-Facing Application

Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers.[4]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Ke3chang has dropped their malware into legitimate installed software paths including: `C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe`, `C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe`, `C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe`, and `C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe`.[4]
Enterprise T1569.002 Service Execution Sub-technique

Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.[2]
Enterprise T1005 Data from Local System

Ke3chang gathered information and files from local directories for exfiltration.[1][4]
Enterprise T1071.004 DNS Sub-technique

Ke3chang malware RoyalDNS has used DNS for C2.[2]
Enterprise T1213.002 Sharepoint Sub-technique

Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[2]
Enterprise T1027 Obfuscated Files or Information

Ke3chang has used Base64-encoded shellcode strings.[4]
Enterprise T1059 Command and Scripting Interpreter

Malware used by Ke3chang can run commands on the command-line interface.[1][2]
Enterprise T1036.002 Right-to-Left Override Sub-technique

Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.[1]
Enterprise T1560 Archive Collected Data

The Ke3chang group has been known to compress data before exfiltration.[1]
Enterprise T1069.002 Domain Groups Sub-technique

Ke3chang performs discovery of permission groups net group /domain.[1]
Enterprise T1560.001 Archive via Utility Sub-technique

Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.[1][4]
Enterprise T1003.003 NTDS Sub-technique

Ke3chang has used NTDSDump and other password dumping tools to gather credentials.[4]
Enterprise T1057 Process Discovery

Ke3chang performs process discovery using tasklist commands.[1][2]
Enterprise T1003.001 LSASS Memory Sub-technique

Ke3chang has dumped credentials, including by using Mimikatz.[1][2][4]
Enterprise T1587.001 Malware Sub-technique

Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.[4]
Enterprise T1071.001 Web Protocols Sub-technique

Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.[2][4]
Enterprise T1059.003 Windows Command Shell Sub-technique

Ke3chang has used batch scripts in its malware to install persistence mechanisms.[2]
Enterprise T1078 Valid Accounts

Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts.[4]
Enterprise T1583.005 Botnet Sub-technique

Ke3chang has utilized an ORB (operational relay box) network for reconnaissance and vulnerability exploitation.CitationORB Mandiant
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Several Ke3chang backdoors achieved persistence by adding a Run key.[2]
Enterprise T1049 System Network Connections Discovery

Ke3chang performs local network connection discovery using netstat.[1][2]
Enterprise T1056.001 Keylogging Sub-technique

Ke3chang has used keyloggers.[2][4]
Enterprise T1003.004 LSA Secrets Sub-technique

Ke3chang has dumped credentials, including by using gsecdump.[1][2]
Enterprise T1078.004 Cloud Accounts Sub-technique

Ke3chang has used compromised credentials to sign into victims’ Microsoft 365 accounts.[4]
Enterprise T1082 System Information Discovery

Ke3chang performs operating system information discovery using systeminfo and has used implants to identify the system language and computer name.[1][2][4]
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0097: Ping

Ping is an operating system utility commonly used to troubleshoot and verify network connections. [1]

Tool Enterprise

S0104: netstat

netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. [1]

Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Tool Enterprise

S0057: Tasklist

The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. [1]

Malware Enterprise

S0280: MirageFox

MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. [1]

Windows
Tool Enterprise

S0039: Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Windows
Tool Enterprise

S0100: ipconfig

ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. [1]

Campaign Enterprise

C0052: SPACEHOP Activity

SPACEHOP Activity is conducted through commercially leased Virtual Private Servers (VPS), otherwise known as provisioned Operational Relay Box (ORB) networks. The network leveraged for SPACEHOP Activity enabled China-nexus cyber threat actors – such as APT5 and Ke3chang – to perform network reconnaissance scanning and vulnerability exploitation. SPACEHOP Activity has historically targeted entities in North America, Europe, and the Middle East.[1]

Relationship explorer

All related ATT&CK context

uses · Technique T1114.002: Remote Email Collection Enterprise uses · Tool S0097: Ping Enterprise uses · Malware S0439: Okrum Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1087.001: Local Account Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1614.001: System Language Discovery Enterprise uses · Technique T1087.002: Domain Account Enterprise uses · Tool S0096: Systeminfo Enterprise uses · Tool S0104: netstat Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1558.001: Golden Ticket Enterprise uses · Technique T1021.002: SMB/Windows Admin Shares Enterprise uses · Tool S0227: spwebmember Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Tool S0002: Mimikatz Enterprise uses · Technique T1119: Automated Collection Enterprise uses · Tool S0057: Tasklist Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1133: External Remote Services Enterprise uses · Technique T1018: Remote System Discovery Enterprise uses · Technique T1003.002: Security Account Manager Enterprise uses · Malware S0280: MirageFox Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.1
Created
Modified
Raw hash
f3336ac68b3ccd4d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.1 Current bundle f3336ac68b3c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant Operation Ke3chang November 2014

    Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.

    Open source URL
  2. [2]
    NCC Group APT15 Alive and Strong

    Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.

    Open source URL
  3. [3]
    APT15 Intezer June 2018

    Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.

    Open source URL
  4. [4]
    Microsoft NICKEL December 2021

    MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.

    Open source URL
  5. [5]
    APT15

    (Citation: NCC Group APT15 Alive and Strong)

  6. [6]
    GREF

    (Citation: NCC Group APT15 Alive and Strong)

  7. [7]
    Ke3chang

    (Citation: Villeneuve et al 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: APT15 Intezer June 2018)

  8. [8]
    Microsoft Threat Actor Naming July 2023

    Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

    Open source URL
  9. [9]
    Mirage

    (Citation: NCC Group APT15 Alive and Strong)

  10. [10]
    NICKEL

    (Citation: Microsoft NICKEL December 2021)

  11. [11]
    Nylon Typhoon

    (Citation: Microsoft Threat Actor Naming July 2023)

  12. [12]
    Playful Dragon

    (Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)

  13. [13]
    RoyalAPT

    (Citation: APT15 Intezer June 2018)

  14. [14]
    Villeneuve et al 2014

    Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.

    Open source URL
  15. [15]
    Vixen Panda

    (Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)

  16. [16]
    mitre-attack G0004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use