analyst @ nohacky :~/threat-actors $
cat / threat-actors / apt10-stone-panda
analyst@nohacky:~/apt10-stone-panda.html
active threat profile
type Nation-State / APT
threat_level CRITICAL
status ACTIVE
origin China (Tianjin)
last_updated 2026-03-13
AP
apt10-stone-panda

APT10 (Stone Panda)

also known as: Stone Panda menuPass Red Apollo Cicada Cloud Hopper Purple Typhoon POTASSIUM HOGFISH BRONZE RIVERSIDE CVNX Granite Taurus TA429

APT10 is one of China's longest-running and most strategically impactful cyber espionage groups, active since at least 2006 and attributed to the Tianjin State Security Bureau of China's Ministry of State Security (MSS). The group pioneered the systematic compromise of managed service providers (MSPs) at global scale through Operation Cloud Hopper, and continues to target Japanese, Western, and Asia-Pacific organizations with increasingly sophisticated custom malware including LODEINFO and NOOPDOOR.

attributed origin China (Tianjin)
suspected sponsor MSS Tianjin State Security Bureau
first observed 2006
primary motivation Espionage / IP Theft
primary targets MSPs, Defense, Aerospace, Government, Telecom
known campaigns 8+ confirmed
mitre att&ck group G0045
target regions Japan, N. America, Europe, Asia-Pacific
threat level CRITICAL

Overview

APT10, also known as menuPass, Stone Panda, and Red Apollo, is a Chinese state-sponsored cyber espionage group that has been active since at least 2006. The group is attributed to the Tianjin State Security Bureau, a regional division of China's Ministry of State Security (MSS), and is believed to have operated through the front company Huaying Haitai Science and Technology Development Company. APT10 focuses on exfiltrating intellectual property, trade secrets, and sensitive government data in support of Chinese national security and economic objectives.

APT10 gained worldwide notoriety through Operation Cloud Hopper, a multi-year supply chain campaign that systematically compromised managed service providers (MSPs) to access their downstream client networks. This approach represented a paradigm shift in nation-state tradecraft, allowing a handful of MSP compromises to yield access to hundreds of organizations across every major industry sector. Confirmed victims of the broader campaign include MSPs like Hewlett Packard Enterprise and IBM, along with organizations in more than 12 countries spanning aerospace, defense, healthcare, finance, energy, and government.

In December 2018, the U.S. Department of Justice indicted two Chinese nationals, Zhu Hua and Zhang Shilong, for their roles in APT10. The indictment was accompanied by coordinated attribution statements from the United Kingdom, Australia, Canada, Japan, and other allied nations. Prosecutors alleged the pair had compromised more than 45 technology companies and U.S. government agencies, stolen hundreds of gigabytes of sensitive data, and obtained personally identifiable information for approximately 100,000 U.S. Navy personnel. The indicted individuals remain in China beyond the reach of Western law enforcement.

Trend Micro characterizes APT10 as an "umbrella" group comprising at least two operational clusters: Earth Tengshe (associated with SodaMaster and the A41APT campaign) and Earth Kasha/MirrorFace (associated with LODEINFO and NOOPDOOR). While these sub-groups share tooling and infrastructure overlaps, they maintain distinct operational profiles. As of 2025, APT10 umbrella operations remain active, with Earth Kasha conducting espionage campaigns against government, political, and academic targets in Japan and Taiwan using updated ANEL and NOOPDOOR backdoors enhanced with DNS over HTTPS (DoH) capabilities for C2 evasion.

Target Profile

APT10 employs a two-tier targeting strategy: direct targeting of sectors aligned with Chinese intelligence priorities, and indirect targeting of virtually every sector through the compromise of managed service providers. Confirmed targeting spans over 30 countries across Asia, Europe, North America, and Africa, with a particular emphasis on Japanese organizations.

  • Managed service providers (MSPs): APT10's signature approach. The Cloud Hopper campaign compromised at least nine global MSPs including HPE and IBM, using their privileged access to infiltrate downstream client networks across every major industry. This supply chain approach maximized intelligence yield while minimizing direct intrusions.
  • Defense and aerospace: Sustained targeting of defense contractors, aerospace manufacturers, satellite technology firms, and military organizations. The 2018 indictment cited seven aviation and space sector victims, plus the theft of PII for 100,000 U.S. Navy personnel.
  • Government: Government agencies across the U.S., Japan, UK, and Asia-Pacific, including a U.S. state legislature. The group targets departments involved in foreign affairs, defense policy, and technology regulation. Japanese government institutions have been a consistent priority.
  • Technology and telecommunications: Telecom providers targeted in Operation Soft Cell for surveillance capabilities. Manufacturing, semiconductor, and advanced electronics firms targeted for IP theft related to industrial processes and next-generation technology.
  • Healthcare and pharmaceutical: Targeted campaigns against U.S. healthcare and pharmaceutical companies for research IP theft, including biotech firms and medical equipment manufacturers.
  • Energy and maritime: Oil and gas exploration companies, mining firms, and maritime technology organizations targeted for trade secrets and industrial data aligned with Chinese economic development goals.
  • Academia and think tanks: Japanese universities, political think tanks, and research institutions involved in international relations targeted in Earth Kasha campaigns from 2023 onward.

Tactics, Techniques & Procedures

Documented TTPs based on observed campaigns and public threat intelligence. APT10 is characterized by living-off-the-land techniques, fileless execution, sophisticated obfuscation, and the exploitation of trusted third-party relationships. The group has demonstrated consistent evolution in tradecraft over nearly two decades of operations.

mitre id technique description
T1199 Trusted Relationship Signature APT10 technique. Compromised MSPs to leverage their privileged access to client networks during Operation Cloud Hopper. Used legitimate MSP credentials and tools to move laterally into downstream targets.
T1566.001 Phishing: Spearphishing Attachment Primary initial access vector for direct targeting campaigns. Uses malicious documents with DLL side-loading, self-extracting archives (SFX), and VBA macros. Lures tailored to target interests, particularly geopolitical topics relevant to Japanese organizations.
T1190 Exploit Public-Facing Application Since 2023, Earth Kasha sub-group shifted initial access to exploitation of unpatched SSL-VPN and file storage products including Array AG (CVE-2023-28461), Fortinet (CVE-2023-27997), and Proself (CVE-2023-45727).
T1574.002 Hijack Execution Flow: DLL Side-Loading Extensively used across campaigns. Abuses legitimate executables (including K7Security Suite and other signed binaries) to load malicious DLLs. Core delivery mechanism for LODEINFO, PlugX, and other payloads.
T1078 Valid Accounts Uses stolen credentials from MSP environments to access client networks. Harvests credentials via Mimikatz, pwdump, LaZagne, and MirrorStealer from browsers, email clients, and Windows credential stores.
T1059.001 Command and Scripting Interpreter: PowerShell Uses PowerShell extensively for reconnaissance, lateral movement, and payload execution. Employs PowerSploit and PowerView for offensive operations. Favors fileless execution to evade endpoint detection.
T1053.005 Scheduled Task/Job: Scheduled Task Creates scheduled tasks for persistence. NOOPDOOR maintains access via scheduled tasks, enabling presence within compromised networks for two to three years in documented cases.
T1027 Obfuscated Files or Information Employs multi-layered obfuscation including fileless malware execution, Vigenere cipher encryption, partial XOR encoding, and the Ecipekac multi-layered loader. LODEINFO features complex infection chains designed to hinder analysis.
T1071.004 Application Layer Protocol: DNS Latest NOOPDOOR variants use DNS over HTTPS (DoH) via public resolvers like Google and Cloudflare to mask C2 domain resolution, evading traditional DNS monitoring.
T1003.001 OS Credential Dumping: LSASS Memory Uses Mimikatz, pwdump, and ProcDump for credential harvesting from LSASS. BloodHound used for Active Directory mapping to identify high-value accounts and attack paths.

Known Campaigns

Confirmed or highly attributed operations linked to this threat actor.

Technology Theft Campaign 2006-2018

Long-running intrusion campaign targeting over 45 technology companies and U.S. government agencies across 12 states. Resulted in theft of hundreds of gigabytes of sensitive data from aviation, space, satellite technology, manufacturing, oil and gas, communications, and maritime sectors. Included compromise of NASA, JPL, and U.S. Navy systems (100,000 personnel records stolen). Formed the basis of the 2018 DOJ indictment against Zhu Hua and Zhang Shilong.

Operation Cloud Hopper 2014-2017+

APT10's signature campaign and one of the largest supply chain compromises ever documented. Systematically breached at least nine global MSPs including HPE and IBM to access downstream client networks. Publicly exposed by PwC and BAE Systems in April 2017. Affected government agencies, defense contractors, and Fortune 500 companies across more than 12 countries. Used Quasar RAT, PlugX, RedLeaves, and PoisonIvy for persistence within MSP environments.

Operation Soft Cell 2017-2019

Campaign targeting global telecommunications providers, compromising core network infrastructure to enable surveillance of specific individuals of intelligence interest. Documented by Cybereason. Provided APT10 with access to call detail records and metadata for targeted surveillance operations.

Japan Defense & Corporate Targeting 2018-2019

Intensified focus on Japanese defense firms, government departments, and technology companies. Sought information about Tokyo's policy toward North Korean nuclear negotiations and financial intelligence from U.S. firms. Used updated TTPs documented by FireEye, including ChChes malware with HTTP cookie-based C2 communication.

A41APT Campaign 2019-2021+

Sustained espionage campaign targeting Japanese organizations across manufacturing, defense, government, and academia. Attributed to the Earth Tengshe sub-group within the APT10 umbrella. Deployed fileless malware including SodaMaster, P8RAT, FYAnti, and the Ecipekac multi-layered loader. Exploited SSL-VPN vulnerabilities for initial access. Documented by Kaspersky, Trend Micro, and JPCERT/CC.

Cuckoo Spear / LODEINFO Campaigns 2019-2024

Ongoing campaigns by the Earth Kasha/MirrorFace sub-group targeting Japanese government, diplomatic agencies, media, think tanks, and academia. LODEINFO backdoor has undergone 10+ major version updates. NOOPDOOR deployed as secondary backdoor for multi-year persistent access. Tracked by Cybereason under the name Cuckoo Spear.

Earth Kasha Taiwan & Japan Campaign 2025

Newly observed campaign (March 2025) targeting government, political think tanks, and international relations institutions in Taiwan and Japan. Deploys updated ANEL backdoor with Beacon Object File (BOF) in-memory execution and NOOPDOOR enhanced with DNS over HTTPS (DoH) for C2 evasion. Exploits public-facing applications for initial access. Significant geopolitical implications given China-Taiwan-Japan dynamics.

Tools & Malware

Known custom and commodity tools associated with this actor. APT10 has evolved from commodity RATs to sophisticated custom backdoors over nearly two decades of operations.

  • LODEINFO: Custom backdoor used primarily against Japanese targets since 2019, with 10+ major version updates. Features arbitrary shellcode execution, keylogging, screenshots, process termination, and file exfiltration. Delivered via spearphishing with DLL side-loading. Serves as primary backdoor in Earth Kasha campaigns.
  • NOOPDOOR (HiddenFace): Secondary backdoor for long-term persistence, maintaining access within compromised networks for two to three years. Shares code with ANEL Loader. Latest variants support DNS over HTTPS (DoH) via Google and Cloudflare resolvers for C2 evasion. Supports file upload/download, shellcode execution, and program launching.
  • ANEL (UPPERCUT): Backdoor used by Earth Kasha in 2024-2025 campaigns against Taiwan and Japan. Updated version features in-memory Beacon Object File (BOF) execution. Used as first-stage access before NOOPDOOR deployment.
  • SodaMaster (DelfsCake): Fileless backdoor associated with the Earth Tengshe sub-group and A41APT campaign. Operates entirely in memory to evade endpoint detection.
  • Ecipekac: Sophisticated multi-layered loader discovered by Kaspersky in the A41APT campaign. Uses complex loading chains to deliver fileless payloads including P8RAT and SodaMaster.
  • PlugX: Widely shared Chinese APT backdoor used across Cloud Hopper and other campaigns. Features modular architecture for various espionage functions. Delivered via DLL side-loading.
  • QuasarRAT: Open-source remote access trojan used during Cloud Hopper operations. Provides remote desktop, keylogging, file management, and credential harvesting capabilities.
  • RedLeaves: Custom backdoor derived from the open-source Trochilus RAT. Used extensively in Cloud Hopper and related MSP targeting campaigns. Features encrypted C2 communication.
  • PoisonIvy: Legacy RAT used in APT10's earlier campaigns (pre-2016). Provided full remote access capabilities including keylogging, screen capture, and file management.
  • ChChes: Custom backdoor with HTTP cookie-based C2 communication. Used in campaigns targeting Japanese corporations, documented by FireEye in 2018.
  • MirrorStealer: Multi-purpose credential stealer targeting stored credentials in Chrome, Firefox, Edge, IE, Outlook, Thunderbird, Becky, and Live Mail. Used alongside NOOPDOOR in recent campaigns.
  • Cobalt Strike: Commercial adversary simulation tool abused as post-exploitation framework across multiple campaign phases.
  • Mimikatz / pwdump / LaZagne: Credential harvesting tools for LSASS dumping, password extraction, and hash retrieval. Combined with BloodHound for Active Directory reconnaissance.

Indicators of Compromise

Publicly available IOCs from FBI, JPCERT/CC, and security vendor reporting. Verify currency before operational use.

warning

APT10 actively rotates infrastructure and updates malware. IOCs from Cloud Hopper-era campaigns are largely burned. Prioritize behavioral detection over static IOC matching. Cross-reference with live threat intel feeds before blocking.

indicators of compromise — behavioral patterns
technique DLL side-loading via legitimate signed executables (K7Security Suite, others)
technique DNS over HTTPS (DoH) C2 via Google/Cloudflare public resolvers
technique MSBuild.exe execution of XML project files for NOOPDOOR deployment
technique Windows Sandbox abuse for malware execution (LilimRAT)
credential file %temp%\31558.TXT (MirrorStealer credential dump output)
indicators of compromise — exploited vulnerabilities
cve CVE-2023-28461 (Array AG SSL-VPN)
cve CVE-2023-27997 (Fortinet FortiOS/FortiProxy)
cve CVE-2023-45727 (Proself file storage)
cve CVE-2017-0143 (EternalRomance SMB exploit)

Mitigation & Defense

Recommended defensive measures for organizations in APT10's target profile. Given the group's emphasis on supply chain compromise and living-off-the-land techniques, defenders should prioritize third-party risk management and behavioral detection alongside traditional indicator-based defenses.

  • Audit and harden MSP relationships: Demand evidence of security controls from managed service providers. Restrict MSP access to the minimum required privileges. Monitor MSP administrative sessions for anomalous activity. Implement network segmentation between MSP management planes and production environments. Do not accept blanket assurances regarding Cloud Hopper remediation.
  • Patch SSL-VPN and public-facing appliances: Prioritize patching for Array AG, Fortinet FortiOS, Proself, and Citrix products. Earth Kasha actively exploits these for initial access. Remove or disable unused remote access services. Implement continuous vulnerability scanning for internet-facing infrastructure.
  • Detect DLL side-loading and fileless execution: Monitor for legitimate executables loading DLLs from non-standard paths. Audit for MSBuild.exe executing unexpected XML project files. Alert on Windows Sandbox being enabled on systems where it is not authorized. Implement application whitelisting to restrict unauthorized executable and DLL loading.
  • Monitor for credential theft: Protect LSASS process memory from unauthorized access. Deploy Credential Guard on Windows endpoints. Monitor for Mimikatz, pwdump, LaZagne, and BloodHound execution artifacts. Watch for MirrorStealer output files (%temp%Í58.TXT) and anomalous credential store access patterns.
  • Detect DNS over HTTPS (DoH) C2: Monitor for anomalous HTTPS connections to public DoH resolvers (Google, Cloudflare) from endpoints that should use internal DNS. Implement DNS logging and analysis. Consider blocking or proxying DoH traffic from non-browser processes to detect NOOPDOOR beaconing.
  • Enforce multi-factor authentication: Apply MFA on all external access points, VPN connections, and privileged accounts. APT10 relies heavily on stolen credentials for lateral movement. Implement conditional access policies and monitor for anomalous authentication patterns from MSP infrastructure.
  • Hunt for long-dwell-time persistence: APT10 sub-groups have maintained access within networks for two to three years. Proactively hunt for unusual scheduled tasks, persistent backdoor connections, and Visual Studio Code remote tunnel abuse. Map detection capabilities against MITRE ATT&CK techniques T1199, T1078, and T1574.002.
  • Implement network segmentation and monitoring: Segment sensitive networks to limit lateral movement. Monitor for unusual RDP/VPN logins, PsExec remote execution, and WMI activity. Deploy endpoint detection and response (EDR) with behavioral analytics capable of identifying living-off-the-land tradecraft.
note

APT10 is tracked as an "umbrella" encompassing at least two sub-groups (Earth Tengshe and Earth Kasha/MirrorFace) that may operate semi-independently. Attribution of specific campaigns to APT10 vs. its sub-groups is an active area of research. Trend Micro notes that Earth Kasha and APT10 may be separate but related entities. The 2018 DOJ indictment and 2024 MITRE ATT&CK Evaluations both use APT10/menuPass as the primary designation for the broader cluster.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile