Home > List all groups > TA428

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: TA428

NamesTA428 (Proofpoint)
Panda (NTT)
CountryChina China
MotivationInformation theft and espionage
First seen2019
Description(Proofpoint) Proofpoint researchers initially identified email campaigns with malicious RTF document attachments targeting East Asian government agencies in March 2019. These campaigns originated from adversary-operated free email sender accounts at yahoo[.]co[.].jp and yahoo[.]com. Sender addresses often imitated common names found in the languages of targeted entities. Spear phishing emails included malicious .doc attachments that were actually RTF files saved with .doc file extensions.

The lures used in the subjects, attachment names, and attachment content in several cases utilized information technology themes specific to Asia such as governmental or public training documents relating to IT. On one specific occasion an email utilized the subject “ITU Asia-Pacific Online CoE Training Course on ‘Conformity & Interoperability in 5G’ for the Asia-Pacific Region, 15-26 April 2019” and the attachment name “190315_annex 1 online_course_agenda_coei_c&i.doc”. The conference referenced in the lure was an actual event likely selected due to its relevance to potential victims. This is significant as countries in the APAC region continue to adopt Chinese 5G technology in government as well as heavy equipment industries.

This actor worked together with Emissary Panda, APT 27, LuckyMouse, Bronze Union in Operation StealthyTrident.
ObservedSectors: Government.
Countries: Mongolia and East Asia.
Tools used8.t Dropper, Cotx RAT, Poison Ivy.
Operations performedMar 2019Operation “LagTime IT”
Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT.
Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns.
Jun 2020Operation “StealthyTrident”
ESET researchers discovered that chat software called Able Desktop, part of a business management suite popular in Mongolia and used by 430 government agencies in Mongolia.

Last change to this card: 06 January 2021

Download this actor card in PDF or JSON format

Previous: TA413
Next: TA459

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key