ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > TAG-22

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: TAG-22

NamesTAG-22 (Recorded Future)
CountryChina China
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2021
Description(Recorded Future) Recorded Future has identified a suspected Chinese state-sponsored group that we track as Threat Activity Group 22 (TAG-22) targeting telecommunications, academia, research and development, and government organizations in Nepal, the Philippines, Taiwan, and more historically, Hong Kong. In this most recent activity, the group likely used compromised GlassFish servers and Cobalt Strike in initial access operations before switching to the bespoke Winnti, ShadowPad, and Spyder backdoors for long-term access using dedicated actor-provisioned command and control infrastructure.
ObservedCountries: Hong Kong, Nepal, Philippines, Taiwan.
Tools usedCobalt Strike, ShadowPad Winnti, Spyder, Winnti.
Information<https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/>

Last change to this card: 08 August 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key