Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G1023: APT5

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]

EnterpriseG1023GroupObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

APT5 matters because ATT&CK describes it as a long-running China-based espionage group focused on telecommunications, aerospace, and defense, with particular interest in networking devices, underlying software, and zero-day exploitation. For leaders, the practical issue is not just malware names: it is whether internet-facing access infrastructure, VPNs, domain credentials, and remote administration paths are observable and recoverable during an espionage-driven intrusion.

Executive priority

Prioritize APT5-informed readiness where business depends on sensitive engineering, defense, telecom, or externally reachable access infrastructure. Executives should ask whether the organization can prove timely vulnerability management for network devices, detect credential theft and remote access abuse, and preserve logs from VPN/network appliances for incident response and audit evidence. The relationship to SPACEHOP Activity also makes leased VPS/ORB-style infrastructure a relevant threat-intelligence and perimeter-monitoring concern, without assuming any specific local exposure.

Technical view

ATT&CK provides no official detection text for APT5, so validation should be built from the related techniques, software, and campaign context. Key defensive checks include coverage for credential access on Windows such as LSASS Memory and SAM extraction, domain-controller risks associated with Skeleton Key-style behavior, RAT activity such as PoisonIvy, gh0st RAT, and PcShare, and abuse of legitimate utilities including Net, Tasklist, and netstat. Network-device and VPN-focused hunting is especially important because related APT5 software includes SLOWPULSE, PULSECHECK, PACEMAKER, SLIGHTPULSE, and RAPIDPULSE, several of which are described around Pulse Secure VPNs, credential logging/stealing, authentication bypass flows, and web shells.

Likely telemetry

  • VPN and network-device authentication logs, administrative access logs, configuration change records, and file integrity evidence where available
  • Web shell indicators on network devices or Linux-based appliances, including unexpected script files or modified legitimate files
  • Windows endpoint and server telemetry for LSASS access, SAM access, process injection, suspicious credential dumping tools, and unusual child processes
  • Domain controller security logs and authentication events relevant to credential abuse or backdoor credential behavior
  • RDP and SSH logon records, including source IPs, account context, session timing, and lateral movement patterns

Detection direction

  • Do not rely on a single APT5 signature; map coverage to the related ATT&CK techniques and software actually present in the environment.
  • Validate whether security monitoring includes network devices and VPN appliances, since these are common blind spots compared with managed Windows endpoints.
  • Tune credential-access detections for high-risk systems, especially domain controllers, VPN infrastructure, administrative workstations, and servers that can expose reusable credentials.
  • Correlate discovery commands, process enumeration, network connection discovery, and remote access logons with account privilege, asset criticality, and source network context to reduce false positives from legitimate administration.
  • Use the SPACEHOP Activity relationship to enrich perimeter analytics with suspicious VPS/relay infrastructure patterns, while treating infrastructure reputation as supporting context rather than standalone proof.

Mitigation priorities

  • Start with inventory and vulnerability management for internet-facing networking devices, VPNs, and remote access services, including evidence that patches and mitigations are applied and verified.
  • Harden identity paths by limiting administrative credential exposure, reducing unnecessary privileged sessions, protecting credential material, and monitoring high-value accounts.
  • Restrict and monitor RDP and SSH access, especially between internal segments and to critical systems, using least privilege and strong authentication where applicable.
  • Improve resilience of domain controllers and VPN infrastructure through logging, configuration baselines, file integrity checks where feasible, and tested recovery procedures.
  • Prepare IR playbooks for suspected network-device compromise and credential theft, including credential rotation, appliance forensic collection, and validation of persistence mechanisms such as web shells or scheduled tasks.
Analyst notes and limits

This take is based on ATT&CK G1023 version 1.1 in enterprise-attack, its official description, external references, and supplied relationships. The group object itself lists no platforms or tactics and provides no official detection guidance, so platform-specific comments are derived only from related software and technique relationships. Local asset exposure, logging maturity, and control effectiveness must be validated before drawing conclusions about risk or coverage.

ATT&CK relationships provide behavior context but do not prove that every listed technique or tool will appear in every APT5 intrusion. The supplied SPACEHOP campaign description is truncated, and no customer-specific telemetry, exploit details, or active exploitation status is provided. This assessment should therefore guide defensive validation rather than serve as evidence of compromise.

Official MITRE ATT&CK definition

APT5

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

29 rows
Domain ID Name Relationship / procedure
Enterprise T1059.001 PowerShell Sub-technique

APT5 has used PowerShell to accomplish tasks within targeted environments.[4]
Enterprise T1136.001 Local Account Sub-technique

APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.[4]
Enterprise T1070.006 Timestomp Sub-technique

APT5 has modified file timestamps.[4]
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

APT5 has moved laterally throughout victim environments using RDP.[4]
Enterprise T1654 Log Enumeration

APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.[4]
Enterprise T1685 Disable or Modify Tools

APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring.[4]
Enterprise T1583.005 Botnet Sub-technique

APT5 has acquired a network of compromised systems – specifically an ORB (operational relay box) network – for follow on activities.CitationORB Mandiant
Enterprise T1074.001 Local Data Staging Sub-technique

APT5 has staged data on compromised systems prior to exfiltration often in `C:\Users\Public`.[4]
Enterprise T1554 Compromise Host Software Binary

APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.[3][4]
Enterprise T1056.001 Keylogging Sub-technique

APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.[5][6]
Enterprise T1078.004 Cloud Accounts Sub-technique

APT5 has accessed Microsoft M365 cloud environments using stolen credentials. [4]
Enterprise T1560.001 Archive via Utility Sub-technique

APT5 has used the JAR/ZIP file format for exfiltrated files.[4]
Enterprise T1003.001 LSASS Memory Sub-technique

APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes. APT5 has also dumped clear text passwords and hashes from memory using Mimikatz hosted through an RDP mapped drive.[4]
Enterprise T1003.002 Security Account Manager Sub-technique

APT5 has copied and exfiltrated the SAM Registry hive from targeted systems.[4]
Enterprise T1070.004 File Deletion Sub-technique

APT5 has deleted scripts and web shells to evade detection.[3][4]
Enterprise T1098.007 Additional Local or Domain Groups Sub-technique

APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.[4]
Enterprise T1057 Process Discovery

APT5 has used Windows-based utilities to carry out tasks including tasklist.exe. [4]
Enterprise T1070 Indicator Removal

APT5 has used the THINBLOOD utility to clear SSL VPN log files located at `/home/runtime/logs`.[3][4]
Enterprise T1053.003 Cron Sub-technique

APT5 has made modifications to the crontab file including in `/var/cron/tabs/`.[1]
Enterprise T1059.003 Windows Command Shell Sub-technique

APT5 has used cmd.exe for execution on compromised systems.[4]
Enterprise T1021.004 SSH Sub-technique

APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.[4]
Enterprise T1055 Process Injection

APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality.[4]
Enterprise T1505.003 Web Shell Sub-technique

APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances.[3][4]
Enterprise T1049 System Network Connections Discovery

APT5 has used the BLOODMINE utility to collect data on web requests from Pulse Secure Connect logs.[4]
Enterprise T1078.002 Domain Accounts Sub-technique

APT5 has used legitimate account credentials to move laterally through compromised environments.[3]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a `KB.zip` pattern.[4]
Enterprise T1070.003 Clear Command History Sub-technique

APT5 has cleared the command history on targeted ESXi servers.[4]
Enterprise T1083 File and Directory Discovery

APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.[4]
Enterprise T1190 Exploit Public-Facing Application

APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers.[3][4][1] [2]
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0057: Tasklist

The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. [1]

Tool Enterprise

S1050: PcShare

PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.[1][2]

Windows
Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Malware Enterprise

S1104: SLOWPULSE

SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. SLOWPULSE has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.[1]

Network Devices
Tool Enterprise

S0039: Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Windows
Malware Enterprise

S1109: PACEMAKER

PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.[1]

Network DevicesLinux
Malware Enterprise

S1108: PULSECHECK

PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.[1]

Network DevicesLinux
Campaign Enterprise

C0052: SPACEHOP Activity

SPACEHOP Activity is conducted through commercially leased Virtual Private Servers (VPS), otherwise known as provisioned Operational Relay Box (ORB) networks. The network leveraged for SPACEHOP Activity enabled China-nexus cyber threat actors – such as APT5 and Ke3chang – to perform network reconnaissance scanning and vulnerability exploitation. SPACEHOP Activity has historically targeted entities in North America, Europe, and the Middle East.[1]

Relationship explorer

All related ATT&CK context

uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1136.001: Local Account Enterprise uses · Tool S0057: Tasklist Enterprise uses · Technique T1070.006: Timestomp Enterprise uses · Technique T1021.001: Remote Desktop Protocol Enterprise uses · Malware S0012: PoisonIvy Enterprise uses · Technique T1654: Log Enumeration Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Malware S1113: RAPIDPULSE Enterprise uses · Technique T1583.005: Botnet Enterprise uses · Tool S1050: PcShare Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Tool S0002: Mimikatz Enterprise uses · Technique T1554: Compromise Host Software Binary Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1078.004: Cloud Accounts Enterprise uses · Malware S1104: SLOWPULSE Enterprise uses · Malware S1110: SLIGHTPULSE Enterprise uses · Technique T1560.001: Archive via Utility Enterprise uses · Malware S0007: Skeleton Key Enterprise attributed to · Campaign C0052: SPACEHOP Activity Enterprise uses · Technique T1003.001: LSASS Memory Enterprise uses · Technique T1003.002: Security Account Manager Enterprise uses · Technique T1070.004: File Deletion Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
b7a2b39aeb7d74c2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle b7a2b39aeb7d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    NSA APT5 Citrix Threat Hunting December 2022

    National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024.

    Open source URL
  2. [2]
    Microsoft East Asia Threats September 2023

    Microsoft Threat Intelligence. (2023, September). Digital threats from East Asia increase in breadth and effectiveness. Retrieved February 5, 2024.

    Open source URL
  3. [3]
    Mandiant Pulse Secure Zero-Day April 2021

    Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.

    Open source URL
  4. [4]
    Mandiant Pulse Secure Update May 2021

    Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.

    Open source URL
  5. [5]
    FireEye Southeast Asia Threat Landscape March 2015

    FireEye. (2015, March). SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE. Retrieved February 5, 2024.

    Open source URL
  6. [6]
    Mandiant Advanced Persistent Threats

    Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.

    Open source URL
  7. [7]
    Secureworks BRONZE FLEETWOOD Profile

    Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.

    Open source URL
  8. [8]
    BRONZE FLEETWOOD

    (Citation: Secureworks BRONZE FLEETWOOD Profile)

  9. [9]
    Keyhole Panda

    (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks BRONZE FLEETWOOD Profile)

  10. [10]
    MANGANESE

    (Citation: Microsoft Threat Actor Naming July 2023)(Citation: NSA APT5 Citrix Threat Hunting December 2022)

  11. [11]
    Microsoft Threat Actor Naming July 2023

    Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

    Open source URL
  12. [12]
    Mulberry Typhoon

    (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Microsoft East Asia Threats September 2023)

  13. [13]
    UNC2630

    (Citation: NSA APT5 Citrix Threat Hunting December 2022)

  14. [14]
    mitre-attack G1023
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use