APT17
High ConfidenceHigh ThreatDeputyDog • Aurora Panda • Tailgater Team • BRONZE KEYSTONE • Dogfish • G0001 +2 more
APT17, also known as DeputyDog and Aurora Panda, is a China-based threat group that has been active since at least 2013. The group is believed to be state-sponsored and primarily engages in cyber espionage operations. APT17 has a history of targeting a wide range of organizations, including U.S. government entities, the defense industry, law firms, IT companies, and mining companies. Their campaigns have been observed globally, with a focus on the United States, Europe, and Asia. The group is known for its use of the BLACKCOFFEE malware, which it has employed in various campaigns. One notable tactic involved leveraging Microsoft's TechNet portal for command-and-control (C2) communications, a technique designed to obfuscate their infrastructure and prolong their operations. This method highlights their ability to adapt and use legitimate services for malicious purposes. Over the years, APT17 has been associated with a variety of other malware families and tools, including ShadowPad and PlugX, indicating a broad and evolving toolkit.
APT17, also known as DeputyDog and Aurora Panda, is a China-based threat group that has been active since at least 2013. The group is believed to be state-sponsored and primarily engages in cyber espionage operations. APT17 has a history of targeting a wide range of organizations, including U.S. government entities, the defense industry, law firms, IT companies, and mining companies. Their campaigns have been observed globally, with a focus on the United States, Europe, and Asia. The group is known for its use of the BLACKCOFFEE malware, which it has employed in various campaigns. One notable tactic involved leveraging Microsoft's TechNet portal for command-and-control (C2) communications, a technique designed to obfuscate their infrastructure and prolong their operations. This method highlights their ability to adapt and use legitimate services for malicious purposes. Over the years, APT17 has been associated with a variety of other malware families and tools, including ShadowPad and PlugX, indicating a broad and evolving toolkit.
Target Sectors
Target Regions
Attributed to State-Sponsored (China). Attribution confidence: High.
Future Outlook
APT17 is expected to continue operations targeting Government.
First observed activity
Ongoing operations