Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0114: Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.[1][2]

EnterpriseG0114GroupObject v2.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Chimera is an ATT&CK group entry for a suspected China-based threat group reported as active since at least 2018, with targeting described against Taiwan’s semiconductor industry and airline-industry data. The decision value for defenders is not a single indicator list; it is the pattern of related behaviors: credential access against Active Directory, discovery, lateral movement over common Windows administration paths, collection from network shares, and exfiltration over an existing command-and-control channel.

Executive priority

Treat this as a resilience and crown-jewel protection scenario for environments where intellectual property, manufacturing know-how, airline data, or sensitive shared-drive content are material. Leaders should ask whether privileged identity monitoring, domain controller protection, remote administration governance, network share access review, and exfiltration visibility are evidenced in practice, not just documented as policy.

Technical view

MITRE provides no official detection text and no group-level platform list for Chimera. However, the supplied relationships point to Windows and Active Directory-heavy tradecraft: Mimikatz, NTDS access, BloodHound, PsExec, Net, WMI, RDP, SMB/admin shares, WinRM, scheduled tasks, discovery commands, command obfuscation, shared-drive collection, and exfiltration over C2. SOC and IR teams should validate detection coverage across identity, endpoint, domain controller, remote service, and network telemetry, with special attention to legitimate administration tools that can be abused.

Likely telemetry

  • Domain controller security events and monitoring for access or copying of NTDS.dit and related credential material
  • Endpoint process creation and command-line logs for tools and utilities such as Mimikatz, PsExec, Net, esentutl, WMI, schtasks, and discovery commands
  • Windows remote access logs for RDP, SMB/admin shares, and WinRM activity
  • Active Directory object, group, session, and relationship queries that may align with BloodHound-style reconnaissance
  • Network share access logs and file access auditing for sensitive repositories

Detection direction

  • Do not rely on tool-name matching alone; several related behaviors use legitimate administration utilities and protocols that require context, baselining, and privilege-aware analytics.
  • Correlate credential access signals with subsequent remote service use, lateral movement, scheduled task creation, network share access, and unusual egress.
  • Prioritize domain controllers, administrator workstations, file servers, and systems with access to sensitive industry data for higher-fidelity logging and alert review.
  • Tune for abnormal use of PsExec, WMI, WinRM, RDP, SMB/admin shares, Net, and esentutl by account, host, time, and peer system rather than treating every administrative use as malicious.
  • Account for command obfuscation and legitimate-looking resource names or locations, which can reduce the value of simple string signatures.

Mitigation priorities

  • Harden and monitor Active Directory and domain controllers first, including privileged account use, credential dumping resistance, and access to NTDS-related data.
  • Restrict and govern remote administration channels such as RDP, SMB/admin shares, WinRM, WMI, and PsExec-style execution to authorized admins, systems, and management paths.
  • Review permissions on sensitive network shares and reduce broad access to business-critical data repositories.
  • Improve endpoint and identity telemetry coverage before relying on detections for dual-use tools and built-in utilities.
  • Segment high-value engineering, manufacturing, identity, and file-server environments where business impact would be high.
Analyst notes and limits

The ATT&CK object identifies Chimera as a suspected China-based group and cites public reporting from Cycraft and NCC Group. Relationship context supplies the main defensive value: the group is linked to credential dumping, AD reconnaissance, discovery, lateral movement, collection, and exfiltration behaviors. This take intentionally avoids asserting current activity, customer exposure, or guaranteed detection coverage.

Group-level platforms, tactics, labels, and official detection guidance are not specified in the supplied object. Some related techniques list non-Windows platforms, but the most concrete relationship context here is Windows and Active Directory-oriented. Local environment architecture, logging maturity, and business data locations are necessary to determine actual risk and coverage.

Official MITRE ATT&CK definition

Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

59 rows
Domain ID Name Relationship / procedure
Enterprise T1574.001 DLL Sub-technique

Chimera has used side loading to place malicious DLLs in memory.[2]
Enterprise T1074.002 Remote Data Staging Sub-technique

Chimera has staged stolen data on designated servers in the target environment.[2]
Enterprise T1053.005 Scheduled Task Sub-technique

Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st and to maintain persistence.[1][2]
Enterprise T1569.002 Service Execution Sub-technique

Chimera has used PsExec to deploy beacons on compromised systems.[2]
Enterprise T1041 Exfiltration Over C2 Channel

Chimera has used Cobalt Strike C2 beacons for data exfiltration.[2]
Enterprise T1078 Valid Accounts

Chimera has used a valid account to maintain persistence via scheduled task.[1]
Enterprise T1550.002 Pass the Hash Sub-technique

Chimera has dumped password hashes for use in pass the hash authentication attacks.[2]
Enterprise T1071.001 Web Protocols Sub-technique

Chimera has used HTTPS for C2 communications.[2]
Enterprise T1106 Native API

Chimera has used direct Windows system calls by leveraging Dumpert.[1]
Enterprise T1556.001 Domain Controller Authentication Sub-technique

Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.[1]
Enterprise T1071.004 DNS Sub-technique

Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.[2]
Enterprise T1482 Domain Trust Discovery

Chimera has nltest /domain_trusts to identify domain trust relationships.[2]
Enterprise T1560.001 Archive via Utility Sub-technique

Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.[1][2]
Enterprise T1021.006 Windows Remote Management Sub-technique

Chimera has used WinRM for lateral movement.[2]
Enterprise T1083 File and Directory Discovery

Chimera has utilized multiple commands to identify data of interest in file and directory listings.[2]
Enterprise T1087.002 Domain Account Sub-technique

Chimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts.[1][2]
Enterprise T1057 Process Discovery

Chimera has used tasklist to enumerate processes.[2]
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

Chimera has used Windows admin shares to move laterally.[1][2]
Enterprise T1059.001 PowerShell Sub-technique

Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.[1][2]
Enterprise T1003.003 NTDS Sub-technique

Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.[1] Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.[2]
Enterprise T1074.001 Local Data Staging Sub-technique

Chimera has staged stolen data locally on compromised hosts.[2]
Enterprise T1213.002 Sharepoint Sub-technique

Chimera has collected documents from the victim's SharePoint.[2]
Enterprise T1135 Network Share Discovery

Chimera has used net share and net view to identify network shares of interest.[2]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.[1]
Enterprise T1570 Lateral Tool Transfer

Chimera has copied tools between compromised hosts using SMB.[2]
Enterprise T1007 System Service Discovery

Chimera has used net start and net use for system service discovery.[2]
Enterprise T1027.010 Command Obfuscation Sub-technique

Chimera has encoded PowerShell commands.[1]
Enterprise T1685.005 Clear Windows Event Logs Sub-technique

Chimera has cleared event logs on compromised hosts.[2]
Enterprise T1016 System Network Configuration Discovery

Chimera has used ipconfig, Ping, and tracert to enumerate the IP address and network environment and settings of the local host.[2]
Enterprise T1046 Network Service Discovery

Chimera has used the get -b -e -p command for network scanning as well as a custom Python tool packed into a Windows executable named Get.exe to scan IP ranges for HTTP.[2]
Enterprise T1033 System Owner/User Discovery

Chimera has used the quser command to show currently logged on users.[2]
Enterprise T1087.001 Local Account Sub-technique

Chimera has used net user for account discovery.[2]
Enterprise T1572 Protocol Tunneling

Chimera has encapsulated Cobalt Strike's C2 protocol in DNS and HTTPS.[2]
Enterprise T1078.002 Domain Accounts Sub-technique

Chimera has used compromised domain accounts to gain access to the target environment.[2]
Enterprise T1069.001 Local Groups Sub-technique

Chimera has used net localgroup administrators to identify accounts with local administrative rights.[2]
Enterprise T1124 System Time Discovery

Chimera has used time /t and net time \\ip/hostname for system time discovery.[2]
Enterprise T1201 Password Policy Discovery

Chimera has used the NtdsAudit utility to collect information related to accounts and passwords.[2]
Enterprise T1049 System Network Connections Discovery

Chimera has used netstat -ano | findstr EST to discover network connections.[2]
Enterprise T1059.003 Windows Command Shell Sub-technique

Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.[2]
Enterprise T1070.004 File Deletion Sub-technique

Chimera has performed file deletion to evade detection.[1]
Enterprise T1110.003 Password Spraying Sub-technique

Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.[2]
Enterprise T1114.001 Local Email Collection Sub-technique

Chimera has harvested data from victim's e-mail including through execution of wmic /node: process call create "cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst" copy "i:\\\My Documents\.pst" copy.[2]
Enterprise T1039 Data from Network Shared Drive

Chimera has collected data of interest from network shares.[2]
Enterprise T1119 Automated Collection

Chimera has used custom DLLs for continuous retrieval of data from memory.[2]
Enterprise T1133 External Remote Services

Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.[1][2]
Enterprise T1110.004 Credential Stuffing Sub-technique

Chimera has used credential stuffing against victim's remote services to obtain valid accounts.[2]
Enterprise T1680 Local Storage Discovery

Chimera has used `fsutil fsinfo drives`, `systeminfo`, and `vssadmin list shadows` for system information including shadow volumes and drive information.[2]
Enterprise T1114.002 Remote Email Collection Sub-technique

Chimera has harvested data from remote mailboxes including through execution of \\\c$\Users\\AppData\Local\Microsoft\Outlook*.ost.[2]
Enterprise T1012 Query Registry

Chimera has queried Registry keys using reg query \\\HKU\\SOFTWARE\Microsoft\Terminal Server Client\Servers and reg query \\\HKU\\Software\Microsoft\Windows\CurrentVersion\Internet Settings.[2]
Enterprise T1588.002 Tool Sub-technique

Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.[1][2]
Enterprise T1567.002 Exfiltration to Cloud Storage Sub-technique

Chimera has exfiltrated stolen data to OneDrive accounts.[2]
Enterprise T1070.006 Timestomp Sub-technique

Chimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs.[2]
Enterprise T1018 Remote System Discovery

Chimera has utilized various scans and queries to find domain controllers and remote services in the target environment.[2]
Enterprise T1589.001 Credentials Sub-technique

Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.[2]
Enterprise T1047 Windows Management Instrumentation

Chimera has used WMIC to execute remote commands.[1][2]
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

Chimera has used RDP to access targeted systems.[1]
Enterprise T1111 Multi-Factor Authentication Interception

Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.[2]
Enterprise T1217 Browser Information Discovery

Chimera has used type \\\c$\Users\\Favorites\Links\Bookmarks bar\Imported From IE\*citrix* for bookmark discovery.[2]
Enterprise T1105 Ingress Tool Transfer

Chimera has remotely copied tools and malware onto targeted systems.[1]
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0029: PsExec

PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[1][2]

Windows
Tool Enterprise

S0039: Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Windows
Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Malware Enterprise

S0154: Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]

LinuxmacOSWindows
Relationship explorer

All related ATT&CK context

uses · Technique T1574.001: DLL Enterprise uses · Tool S0029: PsExec Enterprise uses · Technique T1074.002: Remote Data Staging Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1569.002: Service Execution Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1078: Valid Accounts Enterprise uses · Technique T1550.002: Pass the Hash Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1556.001: Domain Controller Authentication Enterprise uses · Technique T1071.004: DNS Enterprise uses · Technique T1482: Domain Trust Discovery Enterprise uses · Technique T1560.001: Archive via Utility Enterprise uses · Technique T1021.006: Windows Remote Management Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1087.002: Domain Account Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Tool S0521: BloodHound Enterprise uses · Technique T1021.002: SMB/Windows Admin Shares Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1003.003: NTDS Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Technique T1213.002: Sharepoint Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.2
Created
Modified
Raw hash
eb158edec1e69df6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.2 Current bundle eb158edec1e6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Cycraft Chimera April 2020

    Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..

    Open source URL
  2. [2]
    NCC Group Chimera January 2021

    Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.

    Open source URL
  3. [3]
    Chimera

    (Citation: NCC Group Chimera January 2021)

  4. [4]
    mitre-attack G0114
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use