ETDA ThaiCERT
Report
Search
Home > List all groups > Blackgear

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Blackgear

NamesBlackgear (Trend Micro)
Topgear (?)
CountryChina China
MotivationInformation theft and espionage
First seen2018
Description(Trend Micro) Blackgear is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.

Like most campaigns, Blackgear has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.
ObservedCountries: Japan, South Korea, Taiwan.
Tools usedComnie, Elirks, Protux.
Operations performedJul 2018Resurfaces, Abuses Social Media for C&C Communication
<https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/>
Information<https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/>

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: Bitter
Next: BlackOasis

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key