apt15-ke3chang

APT15 / Ke3chang

also known as: Flea Nickel Vixen Panda Nylon Typhoon BackdoorDiplomacy Playful Taurus Royal APT Playful Dragon Bronze Palace GREF G0004

One of the longest-running Chinese diplomatic espionage groups — active since at least 2010 and continuously evolving its toolset across three generations of custom backdoors. First publicly identified through Operation Ke3chang in 2014, which compromised European ministries of foreign affairs using Syria crisis lures timed to a G20 summit. The group's Graphican backdoor (2023) represents the third generation of this lineage — upgrading Ketrican's architecture to use Microsoft Graph API and OneDrive for C2 infrastructure retrieval, making its command infrastructure harder to seize and resistant to the kind of domain takedown Microsoft executed against the group in 2021. APT15 is assessed as large, well-resourced, and consistently targeting diplomatic organizations, government agencies, and embassies across Latin America, Europe, North America, and the Middle East.

attributed origin China — PRC state-sponsored

first observed 2010 (named via Op. Ke3chang 2014)

primary motivation Diplomatic and geopolitical intelligence

primary targets Foreign Ministries, Embassies, Government, Military, NGOs

backdoor generation Gen 3 — Graphican (2023, Graph API C2)

microsoft seizure Dec 2021 — 42 domains, 29 countries

mitre att&ck group G0004

latest confirmed campaign Late 2022 – Early 2023 (Americas)

threat level Critical

Overview

APT15 / Ke3chang is one of the most extensively documented Chinese APT groups in the diplomatic espionage category, with a continuous operational record from at least 2010 through confirmed campaigns in 2022–2023. The group's defining characteristic across fifteen years of activity is persistent, iterative tool development: each generation of backdoor maintains core functionality while improving C2 evasion — from hardcoded servers in BS2005, to hardcoded-but-obfuscated servers in Ketrican, to Graph API-retrieved encrypted C2 addresses in Graphican.

FireEye first publicly named the group in a 2014 whitepaper documenting Operation Ke3chang — a campaign from 2013 that compromised European ministries of foreign affairs using Syria crisis-themed spearphishing timed to a G20 summit in Russia at which Syria's civil war was the central agenda item. The precision of the timing — delivering intelligence-relevant lures at the moment when foreign ministries were most actively engaged on the target topic — established the group's pattern of exploiting geopolitical events for access to real-time diplomatic intelligence.

Microsoft's Digital Crimes Unit executed a significant infrastructure seizure in December 2021, obtaining a court order to redirect 42 domains used by the group (tracked internally as NICKEL) across attacks targeting organizations in 29 countries across Latin America and Europe. The seizure disrupted active intrusions and forced the group to rebuild C2 infrastructure. Within a year, APT15 had returned with Graphican — a redesigned backdoor whose C2 retrieval through Microsoft Graph API and OneDrive is specifically resistant to the domain-seizure approach Microsoft used in 2021. The 2022–2023 campaign targeting foreign affairs ministries in Central and South America was documented by Symantec in June 2023.

graph api c2 evasion — direct response to 2021 microsoft seizure

Graphican's use of Microsoft Graph API and OneDrive to retrieve encrypted C2 server addresses is a direct architectural response to Microsoft's 2021 domain seizure. By eliminating hardcoded C2 domains — the precise mechanism Microsoft's court order targeted — Graphican's C2 infrastructure becomes legally and technically much harder to seize. The C2 address is stored encrypted in a OneDrive folder and retrieved at runtime; there is no domain in the binary to seize. The same technique has been observed in APT28's Graphite malware, confirming that Graph API-based C2 is becoming an established APT evasion pattern across state-sponsored groups.

Backdoor Lineage — Three Generations

One of the clearest toolchain evolution stories in Chinese APT threat intelligence. Each generation maintains core backdoor functionality while upgrading C2 evasion and detection resilience.

Generation 1 BS2005 / Mirage / TidePool 2010–2016

BS2005 is the oldest documented Ke3chang backdoor, used in Operation Ke3chang's 2013 European foreign ministry attacks and active from approximately 2010. Written in C++. Provides basic remote access: command execution, file upload/download, screenshot capture. Communicates via hardcoded C2 servers embedded in the binary. Mirage is a related RAT sharing code with BS2005, BMW, and MyWeb. TidePool (documented by Palo Alto in 2016) is an evolution of BS2005 used against Indian embassy personnel worldwide — steganography was used in TidePool variants to hide payloads inside PNG images. FireEye noted in their 2014 report that samples contained the string "ungeilivable" — Chinese internet slang meaning "dull" or "not cool" — pointing to a Chinese-speaking development team.

Generation 2 Ketrican / RoyalCLI / RoyalDNS / Okrum / MirageFox 2015–2022

Ketrican (tracked by ESET as a successor to BS2005) was active from at least 2015, with new variants detected through 2022. RoyalCLI and RoyalDNS — documented by NCC Group in 2018 after a UK government service provider compromise — are backdoors with BS2005 code similarities; RoyalDNS uses DNS for C2 traffic. Okrum (discovered by ESET in 2016) targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala, and Brazil using steganography to embed payloads in PNG images. MirageFox (Intezer, 2018) is an upgraded Mirage RAT connected to the US Navy contractor breach — where 614GB of material related to the "Sea Dragon" submarine project was stolen. This generation saw hardcoded C2 servers, C2 obfuscation in HTTP headers and DNS traffic, and steganography for payload concealment. Graphican (2023) still deployed some Ketrican variants alongside it, indicating the generation 2 toolchain was maintained in parallel.

Generation 3 Graphican — Microsoft Graph API C2 2022–present

Graphican retains Ketrican's core functionality — interactive command line, file creation and download, process spawning — but replaces the hardcoded C2 mechanism with Microsoft Graph API retrieval. The backdoor disables Internet Explorer's first-run wizard via registry modification, establishes internet access through a global IWebBrowser2 COM object, authenticates with the Microsoft Graph API, and retrieves an encrypted C2 address from a named folder ("Person") in OneDrive. A unique Bot ID is generated from system parameters and registered with the retrieved C2 server. From there it polls for commands. The architecture eliminates hardcoded domains from the binary — making the 2021 Microsoft domain-seizure approach inapplicable — and routes initial C2 retrieval through Microsoft's own cloud infrastructure.

Target Profile

APT15's targeting is tightly focused on diplomatic intelligence collection — foreign ministries, embassies, and diplomatic missions are the consistent priority across all documented campaign generations. The group has also reached into military, defense, and energy sectors when PRC intelligence interests required it.

Foreign ministries and embassies (global): The foundational target category established in Operation Ke3chang and maintained through the 2022–2023 Graphican campaign. European foreign ministries in 2013, Indian embassies worldwide in 2016, diplomatic missions in Slovakia and South America in 2017–2019, and Central and South American foreign ministries in 2022–2023 are all confirmed campaigns against diplomatic targets. Symantec noted in 2023 that the Americas "seem to have become more of a focus for the group recently."
Government agencies (29 countries, 2021): Microsoft's December 2021 seizure documented ongoing intrusions targeting government organizations across 29 countries simultaneously — including Latin American and European government agencies beyond pure foreign ministry targets. The breadth suggests both espionage and positioning for broader intelligence collection on PRC foreign policy priorities.
Defense and military contractors: The 2018 US Navy contractor breach — attributed to APT15 via MirageFox — resulted in the theft of 614GB of classified material related to the Sea Dragon submarine project, including submarine radio room information, sensors, and library of critical characteristics. Defense contractor targeting reflects the group's dual mandate: diplomatic intelligence and acquisition of military technology aligned with PRC modernization priorities.
NGOs and think tanks: Human rights organizations and policy research bodies are documented targets — consistent with Chinese intelligence interest in monitoring organizations that publish on Taiwan, Tibet, Hong Kong, Xinjiang, or China-related foreign policy.
Energy and manufacturing: Early FireEye research documented APT15 targeting the aerospace, energy, chemicals/manufacturing/mining sectors — suggesting the group has been tasked against IP theft targets aligned with Made in China 2025 industrial priorities alongside its diplomatic collection mandate.
Uyghur population surveillance: Following the 2021 Microsoft seizure, APT15 returned with a campaign specifically targeting Uyghur populations using spyware — including the Android spyware families SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle, as well as BadBazaar. This population-surveillance mission reflects the group's willingness to conduct domestic-adjacent intelligence operations beyond its primary foreign diplomatic focus.

Tactics, Techniques & Procedures

APT15's TTPs blend spearphishing-based initial access with custom backdoor deployment and living-off-the-land post-exploitation. The Graphican campaign's use of over a dozen tools — mostly commodity and living-off-the-land, with Graphican as the sole custom tool — reflects a deliberate efficiency philosophy documented by security researchers analyzing the group.

mitre id	technique	description
T1566.001	Spearphishing — Geopolitical Event Lures	The group's primary initial access method across all documented campaign generations. Lures are timed to geopolitical events relevant to target organizations: the 2013 Syria G20 campaign used Syria crisis briefings distributed to European foreign ministry staff; subsequent campaigns used lures relevant to target diplomatic communities. Lure quality is consistently high — the group invests in social engineering accuracy over technical sophistication for initial access.
T1190	Exploit Public-Facing Applications	Beyond phishing, APT15 exploits vulnerabilities in public-facing applications for initial access — documented exploits include CVE-2020-1472 (Zerologon — CVSS 10.0 privilege escalation in Windows Netlogon), Microsoft Exchange vulnerabilities, and Pulse Secure VPN. The 2022–2023 Graphican campaign used the three-year-old Zerologon vulnerability alongside fresh tooling, consistent with the group's pattern of deploying proven exploits rather than zero-days.
T1071.001	C2 — Microsoft Graph API (Graphican)	Graphican retrieves its C2 server address from an OneDrive folder via Microsoft Graph API at runtime, eliminating hardcoded domains from the binary. The backdoor authenticates to Graph API, reads an encrypted value from the "Person" OneDrive folder, decrypts it to obtain the C2 server address, and registers the Bot ID. All initial C2 infrastructure retrieval routes through Microsoft's own cloud — making domain-based C2 detection and seizure inapplicable. The same technique was observed in APT28's Graphite malware.
T1027.001	Steganography — PNG Payload Concealment	Documented in TidePool (2016) and Okrum (2019) campaigns. Malicious payloads are concealed within PNG image files, bypassing security tools that inspect file content based on extension or header rather than parsing all binary data for executable content. Okrum used a PNG image as a loader stage before dropping the actual backdoor — the legitimate-appearing image file served as a carrier for encrypted malicious code.
T1071.004	DNS C2 — RoyalDNS	RoyalDNS routes C2 communications through DNS queries — a technique that bypasses HTTP/HTTPS traffic inspection and can blend with legitimate DNS traffic in network monitoring. DNS-based C2 is particularly effective in environments where outbound HTTP(S) from servers is restricted but DNS is unrestricted for operational reasons. Used in the 2017 UK government service provider compromise alongside RoyalCLI.
T1547.001	Registry Modification — IE Persistence and C2	Graphican modifies registry keys to disable Internet Explorer's first-run wizard and welcome page — specifically to enable use of the IE COM object (IWebBrowser2) for Graph API communications without triggering IE's interactive setup. This registry manipulation is a behavioral indicator for Graphican deployment distinct from the malware's network activity.
T1505.003	Web Shells — Exchange Server Access	The 2022–2023 Graphican campaign deployed multiple web shells against Microsoft Exchange servers — AntSword, China Chopper, and two additional undisclosed variants were documented by Symantec. An updated EWSTEW backdoor was also used to exfiltrate emails directly from Exchange server mailboxes. Web shell deployment on Exchange provides persistent access that survives endpoint cleanup of the initial access payload.
T1098	Credential Dumping — Mimikatz	Mimikatz and two variants were deployed in the 2022–2023 Graphican campaign for credential harvesting from LSASS and Windows credential stores. Standard post-compromise credential collection enabling lateral movement to additional systems within target networks. Multiple Mimikatz variants suggest the group maintains updated versions to address detection signatures for the standard build.
T1562.001	Living-Off-the-Land — Minimal Custom Tooling	Across the 2022–2023 campaign, Graphican was the only custom tool — the remainder of the toolkit consisted of commodity tools (Mimikatz, web shells), legitimate administrative utilities, and Windows built-in commands. This approach reduces the forensic footprint of custom malware artifacts and leverages tools that may already have legitimate explanations if discovered. Symantec researchers noted that APT15's similar functionality across tool generations suggests the group continues using proven tools until they stop working rather than investing in novel development.

Known Campaigns

Selected high-significance operations across APT15's documented 15-year operational history, illustrating the consistent diplomatic targeting focus and continuous tool evolution.

Operation Ke3chang — European Foreign Ministries 2013–2014

The campaign that gave the group its public name. FireEye documented "Operation moviestar" (internal campaign name) — a series of Syria crisis-themed spearphishing attacks targeting European ministries of foreign affairs beginning in August 2013, timed precisely to a G20 summit in Russia where Syria's civil war was the primary diplomatic agenda item. The lures impersonated Syria crisis briefings and diplomatic correspondence of immediate relevance to MFA staff. The BS2005 backdoor — deployed via spearphishing — provided persistent access to foreign ministry networks. FireEye accessed just one of 23 identified C2 servers managing the campaign, suggesting broader reach than the confirmed victim set. Chinese government officials formally responded to the FireEye report within 24 hours of its release — an unusual rapidity of official reaction to a public attribution report that itself attracted intelligence community attention.

Operation Ke3chang Resurfaces — Indian Embassies Worldwide 2016

Palo Alto Networks documented a resurface of Operation Ke3chang activity using TidePool — an evolved BS2005 variant — against Indian embassy personnel worldwide. The campaign used PNG steganography to conceal payloads and targeted embassy staff across multiple countries simultaneously. The India focus is consistent with PRC intelligence collection priorities around Sino-Indian relations, border disputes, and India's diplomatic positioning on issues including Tibet and the South China Sea. The campaign confirmed that over two years after public attribution, the group had not ceased operations but simply maintained lower visibility while updating its toolset.

UK Government Service Provider Compromise 2016–2017

NCC Group documented a compromise of a company providing services to the UK Government — providing access to sensitive documents related to military technology and government departments. The attackers deployed two previously undocumented backdoors: RoyalCLI (a successor to BS2005 with encrypted command-line capability) and RoyalDNS (a DNS-based C2 backdoor). The UK supplier compromise demonstrated the group's willingness to target defense supply chain organizations as a vector for accessing government intelligence data without directly attacking government networks.

US Navy Contractor — Sea Dragon Project Data Theft 2018

Researchers linked APT15 via MirageFox — an upgraded version of the Mirage RAT with BS2005 code lineage — to the theft of 614GB of material from a US Navy contractor. The stolen data included classified material related to the Sea Dragon submarine project: submarine radio room information, sensor data, and library of critical characteristics relevant to undersea warfare capability. The intrusion was assessed as directly serving China's military submarine modernization program. Attribution via MirageFox's code lineage to BS2005 was the primary analytical basis connecting this breach to APT15's operational history.

Okrum — Diplomatic Missions in Slovakia and South America 2016–2019

ESET documented a multi-year campaign deploying the Okrum backdoor — a previously unknown malware family with strong code ties to BS2005 and TidePool — against diplomatic missions in Slovakia, Belgium, Chile, Guatemala, and Brazil from 2016 through 2019. The same victim organizations targeted by Ketrican 2015 backdoors were subsequently hit by Okrum, which was then used to drop freshly compiled 2017 Ketrican variants — demonstrating deliberate victim re-compromise with successive tool generations. Okrum used a PNG image as a loader carrier, embedding the encrypted backdoor within the image to evade content inspection.

NICKEL — 29-Country Government Targeting 2019–2021

Microsoft's December 2021 report documenting the NICKEL (APT15) infrastructure seizure detailed an ongoing campaign targeting government organizations across 29 countries in Latin America and Europe. Microsoft obtained a US court order to redirect 42 NICKEL-operated domains — disrupting active intrusions and cutting the group's C2 links mid-operation. The breadth of the operation — government agencies across 29 countries simultaneously — reflected APT15's large, well-resourced operational capacity. The seizure disrupted active operations but did not permanently degrade the group's capability; Graphican emerged within a year with infrastructure designed to resist the seizure approach.

Graphican — Americas Foreign Ministries 2022–2023

Symantec documented a Flea (APT15) campaign from late 2022 to early 2023 targeting foreign affairs ministries in Central and South American countries, with additional victims including a government finance department, a corporation, and an unknown European entity. The campaign introduced Graphican — the third-generation backdoor using Microsoft Graph API and OneDrive for encrypted C2 retrieval — alongside an updated EWSTEW Exchange backdoor for email exfiltration. The group deployed over a dozen tools: Graphican and EWSTEW as custom tools, with Mimikatz variants, web shells (AntSword, China Chopper), and Zerologon exploitation rounding out the toolkit. Symantec noted that the focus on the Americas appeared to represent an expanded geographic priority relative to the group's historical European and Asian focus.

Tools & Malware

APT15 maintains one of the most extensively catalogued malware lineages in Chinese APT threat intelligence — a continuous chain of custom backdoor development from BS2005 through Graphican spanning over 15 years, supplemented by Android spyware families for mobile surveillance.

Graphican (Gen 3, 2022–present): Third-generation backdoor retrieving encrypted C2 from Microsoft OneDrive via Graph API. Capabilities: interactive command line, file creation and download, process spawning with hidden windows, system fingerprinting (hostname, IP, Windows version, language). Bot ID generated from system parameters. Disables IE first-run wizard via registry before using IWebBrowser2 COM object for Graph API authentication.
Ketrican / Ketrum (Gen 2, 2015–2022): ESET-tracked evolution of BS2005 with hardcoded-but-obfuscated C2 servers. Multiple versions tracked from 2015 through 2022, with 2017 and later variants compiled fresh for specific victims. Maintained and updated in parallel with Graphican during the 2022–2023 campaign.
RoyalCLI / RoyalDNS (Gen 2 variant): NCC Group-documented backdoor pair from the UK government service provider compromise. RoyalCLI provides encrypted command-line C2; RoyalDNS routes C2 through DNS queries — a channel that bypasses HTTP inspection on restricted networks.
Okrum (Gen 2 variant): ESET-documented backdoor using PNG steganography for payload delivery. Used to re-compromise previously identified diplomatic mission victims, then drop fresh Ketrican variants. Provides standard backdoor access: command execution, file operations, persistence via registry or services.
MirageFox (Gen 2 variant): Upgraded Mirage RAT with code sharing between Mirage, BS2005, BMW, and MyWeb. Linked to the 2018 US Navy Sea Dragon contractor breach via code lineage analysis.
BS2005 / Mirage / TidePool (Gen 1): The foundational malware generation. BS2005 is a C++ backdoor with basic remote access; Mirage and MyWeb share code with BS2005. TidePool evolved from BS2005 for the 2016 Indian embassy campaign, adding PNG steganography. The BS2005 string "ungeilivable" (Chinese internet slang) was present in multiple samples, providing developer-language attribution confirmation.
EWSTEW — Exchange Email Exfiltration: A backdoor targeting Microsoft Exchange server mailboxes for direct email exfiltration. An updated variant was deployed in the 2022–2023 Graphican campaign alongside web shells (AntSword, China Chopper) to ensure persistent Exchange server access for email collection alongside system-level backdoor access.
Android spyware — SilkBean, DoubleAgent, CarbonSteal, GoldenEagle, BadBazaar: Mobile surveillance tools deployed against Uyghur populations. These tools provide call interception, SMS collection, location tracking, microphone access, and messaging application data theft from Android devices — enabling population-level surveillance of diaspora communities.

Indicators of Compromise

Behavioral and structural IOCs from the Graphican campaign (2022–2023). Network IOCs from the 2021 Microsoft seizure are stale — new infrastructure was stood up post-seizure specifically to avoid domain-based detection.

warning — graphican c2 not domain-based

Graphican eliminates hardcoded C2 domains. Traditional domain blocklist-based detection does not apply to the C2 retrieval mechanism. Behavioral detection — specifically Graph API authentication from unexpected processes and the registry modifications below — is the appropriate detection approach for active Graphican infections. Consult MITRE ATT&CK G0004 for the full documented IOC corpus across all campaign generations.

indicators of compromise — graphican (2022–2023) behavioral

registry HKCU\Software\Microsoft\Internet Explorer\Main — "DisableFirstRunCustomize" set — IE wizard suppression

registry HKCU\Software\Microsoft\Internet Explorer\Main — "RunOnceComplete" set — IE welcome page bypass

behavior Microsoft Graph API authentication (graph.microsoft.com) from non-browser, non-Office processes

behavior OneDrive "Person" folder enumeration by a non-OneDrive process

behavior IWebBrowser2 COM object instantiation by non-browser processes — C2 retrieval mechanism

webshell AntSword, China Chopper deployed on Exchange servers — persistent web access post-compromise

vulnerability CVE-2020-1472 (Zerologon) — CVSS 10.0 — deployed in 2022-2023 campaign despite being 3 years old

historical "ungeilivable" string — present in Gen 1 BS2005/Mirage samples (Chinese internet slang, developer artifact)

Mitigation & Defense

Defending against APT15 requires controls tuned to both the diplomatic-focused spearphishing initial access and the Graph API-based C2 evasion that Graphican introduced to defeat the 2021 Microsoft seizure approach.

Graph API process monitoring: Alert on Microsoft Graph API authentication calls from any process that is not a legitimate Microsoft Office application, the OneDrive sync client, or a sanctioned enterprise app registered in your Azure AD tenant. Graphican's IWebBrowser2-based Graph API authentication from a non-browser process is detectable as an anomalous OAuth token request. Baseline which processes legitimately authenticate to Graph API in your environment, then alert on deviations.
OneDrive folder access monitoring: Alert on enumeration of OneDrive folder contents by non-OneDrive processes, particularly reads from named folders. Graphican's "Person" folder read is a specific behavioral indicator, but any unexpected process accessing OneDrive file system representations should be investigated.
Internet Explorer registry modification monitoring: DisableFirstRunCustomize and RunOnceComplete registry key modifications by non-IE-installer processes are strong Graphican behavioral indicators. IE is deprecated in modern Windows environments — unexpected IE registry modifications from arbitrary processes are high-fidelity alerts.
Exchange Server hardening and web shell detection: APT15 has consistently targeted Exchange servers with web shells and the EWSTEW email exfiltration backdoor. Enable Exchange server integrity monitoring. Alert on new ASPX, ASHX, or PHP files created in Exchange-served directories. Apply Exchange patches immediately — the group has exploited ProxyLogon and ProxyShell in other campaigns in this category.
Patch Zerologon immediately — no exceptions: The 2022–2023 campaign exploited CVE-2020-1472 (Zerologon) — a vulnerability patched in August 2020 with a CVSS score of 10.0. Any domain controller running an unpatched Windows Server version is vulnerable to domain administrator takeover. This is a pre-condition for elimination, not a prioritized patch.
Geopolitical lure awareness training for foreign ministry staff: APT15's spearphishing lures are timed to geopolitical events of direct relevance to target ministry staff — making them highly credible. Security awareness training for diplomatic staff must address the specific pattern of lures arriving during high-interest periods: summit attendance windows, crisis briefing cycles, treaty negotiation phases. Elevated phishing alert posture should be standard practice around major multilateral events.
PNG and image file inspection: TidePool and Okrum embedded malicious payloads in PNG images. Configure email and web gateway sandbox analysis to extract and analyze embedded binary content from image files regardless of file extension. Static image display in email clients does not confirm image file safety.
DNS traffic analysis for RoyalDNS-pattern detection: DNS-based C2 (RoyalDNS-pattern) can be detected by monitoring for high-volume DNS queries with unusual query patterns: abnormal query type distribution (high TXT or NULL), high-entropy subdomain strings, or query patterns from servers that do not typically generate external DNS. DNS logging is a prerequisite — organizations without comprehensive DNS query logging cannot detect DNS-based C2.

analyst note

APT15's 15+ year documented continuity makes it one of the most reliable case studies in APT tool evolution strategy. The progression from BS2005 to Ketrican to Graphican illustrates a deliberate philosophy: maintain core functionality while iteratively upgrading the one component that law enforcement most recently used to disrupt operations. After Microsoft's 2021 domain seizure, the group specifically redesigned its C2 retrieval to eliminate the domain artifact that made seizure possible. Symantec researchers' observation that "the similarities in functionality between Graphican and Ketrican may indicate that the group is not very concerned about having activity attributed to it" is a reasonable read — but the Graph API evasion is also consistent with a security-engineering mindset focused on defender-proofing C2 rather than denying attribution. The group's willingness to use three-year-old exploits (Zerologon) alongside new custom backdoors also reflects the "efficiency over novelty" philosophy documented across Chinese APT operations: proven techniques are reused until they stop working.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile