APT16 | Threat Actor Profile

A China-attributed espionage group with an unusually narrow geographic and sectoral focus — targeting exclusively Japanese and Taiwanese organizations in media, government, high-tech, and financial services since at least 2012. APT16 is notable for the precision of its social engineering: lure documents are calibrated to the specific geopolitical moments that make a target organization most likely to open an attachment, including Taiwan's 2016 presidential election cycle, cultural forum invitations with authentic-sounding names, and DPP (Democratic Progressive Party) contact information updates sent to journalists covering Taiwanese politics. FireEye publicly attributed APT16 in December 2015 based on its use of the known APT16 domain rinpocheinfo[.]com and exploitation of a Microsoft EPS use-after-free vulnerability — deploying a two-stage chain of the IRONHALO downloader and the ELMER backdoor.

sponsorChina — state-sponsored (FireEye assessment)

mitre idG0023

first attributed activityAt least 2012 — publicly disclosed Dec 2015

geographic focusJapan and Taiwan ONLY — no documented targets elsewhere

sector focusMedia, government, high-tech, financial services

primary malwareIRONHALO (downloader) + ELMER (backdoor); DOORJAMB (secondary)

exploit chain (2015)EPS dict copy UAF (patched silently Nov 2015) + CVE-2015-1701 privilege escalation

known c2 domainnews.rinpocheinfo[.]com — ELMER C2 over port 443

intel collection purposePolitical decision-making intelligence, media source identification, cross-strait relations, technology IP

Overview

APT16 represents the more targeted, geopolitically focused end of China's APT ecosystem — a group with a narrow mandate rather than the broad industrial espionage or volume-driven intrusion campaigns associated with larger Chinese APT clusters. FireEye's public attribution in December 2015 placed APT16 within a cluster of China-based activity that also included a suspected separate group operating in Hong Kong, suggesting that China's cyber tasking architecture allocates geographic responsibility by region — with APT16 specifically responsible for Japan and Taiwan intelligence collection.

The political intelligence value of APT16's documented targets is analytically legible. Taiwanese media organizations hold information on journalist sources in China who could be silenced if identified — a pattern the New York Times documented in 2013 when it revealed it had been targeted by China-based actors after reporting on Prime Minister Wen Jiabao's wealth. Democratic Progressive Party contact information provides Beijing with insight into the political network of a party that favors Taiwanese independence over reunification — intelligence directly useful for anticipating election outcomes and monitoring political activists. A Taiwanese government agency's auction registration documents, while apparently mundane, represent access to a government network that can be pivoted from for deeper intelligence collection.

The timing of APT16's most documented campaign — November 26 to December 1, 2015, with related activity in June and August 2015 — is directly correlated with Taiwan's January 16, 2016 presidential election. The DPP candidate Tsai Ing-wen was leading in polls and widely expected to win, which would represent a significant shift away from the ruling Kuomintang's closer ties with the PRC. For Beijing, the election represented a political transition requiring comprehensive intelligence on Taiwanese political dynamics — making this precisely the period when collection tasking against Taiwanese media and political organizations would be most actively pursued.

APT16's exploitation of the EPS vulnerability chain in the November–December 2015 campaign is analytically notable because the same silently-patched vulnerability (the EPS dict copy use-after-free, similar to CVE-2015-2545) was used by multiple China-based APT groups simultaneously. Kaspersky's Securelist documented APT16 as one of four documented groups using CVE-2015-2545 EPS exploit variants in overlapping timeframes — alongside Platinum, EvilPost, and Danti — suggesting either shared exploit code or coordinated tasking across multiple Chinese APT operators against the same priority geographic targets.

Malware Families — Three-Stage Toolkit

APT16's malware toolkit is modest in size but purpose-built for the group's intelligence collection mission: initial delivery and foothold establishment, persistent remote access, and secondary reconnaissance.

Stage 1 — Downloader

IRONHALO

FireEye detection: Trojan.IRONHALO.Downloader

The first-stage downloader deployed by the EPS exploit chain in the November–December 2015 campaign. After the EPS use-after-free vulnerability and CVE-2015-1701 privilege escalation chain succeeds, IRONHALO is dropped and executed. Its role is to fetch the second-stage payload — the ELMER backdoor — from attacker-controlled infrastructure, typically compromised legitimate websites rather than purpose-built attack servers. The use of compromised legitimate sites for second-stage payload hosting reduces the detectability of C2 traffic by routing it through domains with existing clean reputation scores.

Stage 2 — Backdoor

ELMER

FireEye detection: Backdoor.APT.Suroot

The primary APT16 backdoor providing persistent remote access, command execution, file access, and data exfiltration capability. ELMER communicates over HTTP/HTTPS with encryption or protocol obfuscation. Two ELMER variants were identified in the December 2015 campaign: one beaconing to a hardcoded C2 IP address (121.127.249.74) over port 443, and one beaconing to the known APT16 domain news.rinpocheinfo[.]com over port 443. Both variants used the hardcoded User-Agent string "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)" — a static fingerprint that persists across variants and enables network-layer detection. The rinpocheinfo[.]com domain provided the definitive attribution link to APT16.

Secondary Implant

DOORJAMB

Used in: June 2015 Taiwan Security Forum campaign

A secondary implant used in at least one documented APT16 campaign — the June 2015 spear-phishing attack using the lure "2015 Taiwan Security and Cultural Forum Invitation Form" (2015台灣安全文化論壇邀請函). DOORJAMB serves reconnaissance and access purposes and was used in this campaign rather than the ELMER backdoor, suggesting APT16 maintains multiple deployment-ready tools and selects between them based on campaign requirements. Its use in the June 2015 operation against the same media organization targeted in December 2015 (six months later, using the ELMER backdoor) suggests sustained operational interest in specific victim organizations.

Key Operations

Taiwan Security Forum Lure — Media Organization Targeting Jun 2015

APT16 sent spear-phishing messages to a Taiwanese media organization with the subject line "2015 Taiwan Security and Cultural Forum Invitation Form" (2015台灣安全文化論壇邀請函) — a plausible invitation to a security and cultural event that a media organization covering Taiwanese affairs would reasonably investigate. DOORJAMB was deployed in this campaign. The same media organization's Hong Kong branch was targeted in August 2015 by a different group (admin@338, using LOWBALL malware), suggesting coordinated or deconflicted targeting of the same organization's Taiwan and Hong Kong operations by different Chinese APT groups.

EPS Exploit Chain — Taiwan Election Pre-Positioning Nov 26 – Dec 1, 2015

The most technically documented APT16 campaign, publicly disclosed by FireEye on December 20, 2015. Between November 26 and December 1, APT16 and suspected related China-based groups launched coordinated spear-phishing attacks against Japanese and Taiwanese organizations in high-tech, government, media, and financial services. Malicious Word documents exploited the EPS dict copy use-after-free vulnerability (silently patched by Microsoft on November 10, 2015 — just sixteen days before the attacks began) and the CVE-2015-1701 Windows kernel privilege escalation, delivering either IRONHALO or ELMER. APT16 specifically sent emails to two Taiwanese media organization addresses and three webmail addresses with the subject "DPP's Contact Information Update" — targeting journalists and media workers interested in contact information for Democratic Progressive Party politicians and members ahead of the January 2016 presidential election. The use of the patched-but-silently vulnerability suggests the group may have had advance knowledge of the patch timeline and moved quickly to exploit the window between patch release and widespread deployment.

Taiwanese Government Agency Targeting Dec 2015

On the same date as the Taiwanese media targeting, a suspected Chinese APT actor targeted a Taiwanese government agency with a lure document containing instructions for registration and listing goods on a local Taiwanese auction website — an unusually mundane pretext for a government-targeted espionage operation, likely chosen to appear as an administrative communication rather than a suspicious attachment. FireEye assessed it was possible but unconfirmed that APT16 was responsible for this government targeting given the timeframe overlap and the same EPS vulnerability being used to ultimately deploy the ELMER backdoor. The overlap suggests either APT16 extended its operations to government targets, or multiple China-based groups were operating simultaneously against the same cluster of pre-election Taiwanese targets.

Tactics, Techniques & Procedures

mitre id	technique	description
T1566.001	Spear-Phishing — Precision Social Engineering Lures	APT16's social engineering is calibrated to the specific geopolitical context of the target. Documented lure subjects include "2015 Taiwan Security and Cultural Forum Invitation Form" (in traditional Chinese), "DPP's Contact Information Update" (targeting journalists covering Taiwan politics), and registration instructions for a local Taiwanese auction website (for a government agency target). The specificity of each lure — using authentic-sounding event names, current political party names, and locally relevant services — demonstrates advance research on the target organization and its likely interests. This specificity increases open rates significantly compared to generic phishing lures and suggests a relatively small, carefully selected target set.
T1203 / T1068	EPS Use-After-Free and CVE-2015-1701 Privilege Escalation Chain	The November–December 2015 campaign used a two-stage exploitation chain: an Encapsulated PostScript (EPS) dict copy use-after-free vulnerability exploited in Microsoft Office's EPSIMP32.FLT module (similar to CVE-2015-2545, silently patched November 10, 2015) combined with CVE-2015-1701 — a Windows kernel-mode driver (Win32k.sys) local privilege escalation vulnerability. The EPS vulnerability enables arbitrary code execution in the context of Office, while CVE-2015-1701 escalates that code execution to SYSTEM level. Together they provide SYSTEM-privilege arbitrary code execution from a malicious Word document — enabling IRONHALO or ELMER installation without requiring administrator credentials from the victim. The exploit used the dict copy form (dict1 dict2 copy) to trigger the use-after-free, an attack strategy borrowed from browser exploit techniques applied to the overlooked PostScript attack surface in Office.
T1105 / T1571	IRONHALO Downloader — Payload Staging via Compromised Sites	IRONHALO retrieves the ELMER backdoor from attacker-controlled infrastructure — typically compromised legitimate websites rather than purpose-built C2 servers. Using compromised legitimate sites for second-stage payload hosting provides several operational advantages: the domain has an established clean reputation, certificate pinning is not required if HTTPS is used, and domain-based blocklisting is impractical without collateral damage. The staged delivery model also means the ELMER backdoor itself is not transmitted in the initial phishing email — reducing the exposure of the final payload to email security gateway scanning.
T1071.001 / T1027	ELMER Backdoor — HTTPS C2 with Static User-Agent	ELMER beacons to C2 over port 443 (HTTPS) with encryption or protocol obfuscation. A hardcoded User-Agent string "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)" appears consistent across documented ELMER variants — a static fingerprint that mimics an Internet Explorer 7 browser on Windows XP SP1, a combination that would be anomalous on any modern endpoint and provides a durable detection indicator for network-layer monitoring. C2 infrastructure used both hardcoded IP addresses and domain-based C2 (news.rinpocheinfo[.]com) — with the domain serving as the primary attribution link when correlated with known APT16 infrastructure.
T1078 / T1584	Valid Account Compromise and Compromised Infrastructure	In the June 2015 Taiwanese media campaign, the spear-phishing email appeared to have been sent from a compromised legitimate account, increasing the apparent legitimacy of the approach. The use of compromised accounts as email delivery vectors — rather than attacker-controlled infrastructure — reduces the likelihood of sender-reputation-based filtering flagging the email as suspicious. This technique, combined with the authentic-sounding lure content, creates a multi-layer legitimacy construction designed to pass both technical filtering and human scrutiny.

Geopolitical Context — Why Japan and Taiwan

APT16's exclusive geographic focus on Japan and Taiwan reflects the specific intelligence priorities that China's state security apparatus holds for these two jurisdictions. FireEye's December 2015 disclosure explicitly noted that both Japan and Taiwan were important intelligence collection targets for China given the geopolitical moment — Japan's revisions to its pacifist constitution and the upcoming Taiwanese election.

Taiwan — cross-strait political intelligence: Taiwan's political environment is of sustained strategic importance to Beijing because of the cross-strait sovereignty question. Media organizations covering Taiwanese politics hold information on journalist sources within China who could be identified and silenced. Political party databases (specifically DPP — which favors greater Taiwanese autonomy) contain contact networks of politicians, activists, and supporters. Government agencies hold policy documents. Pre-election intelligence collection enables Beijing to anticipate policy shifts and identify individuals who will be influential in a new government before they take power.
Japan — strategic and constitutional intelligence: Japan's 2015 reinterpretation of its pacifist constitution — permitting "collective self-defense" for the first time — represented a significant shift in Japan's defense posture that directly affects China's strategic calculations. High-tech sector targets in Japan provide intellectual property intelligence. Government and media targets provide insight into Japan's defense policy development, security cooperation with the United States, and political dynamics around constitutional reinterpretation — all topics of direct strategic concern to the PRC.
Tasking architecture — geographic division of labor: The simultaneous targeting of Taiwanese and Hong Kong media organizations by different groups (APT16 in Taiwan, admin@338 with LOWBALL in Hong Kong) suggests a Chinese cyber tasking system that allocates geographic responsibility to different APT clusters. This division of labor reduces overlap, prevents deconfliction failures, and allows specialized expertise in each geographic target set to develop within specific groups.

Indicators of Compromise

staleness note

The documented APT16 IOCs are from 2015. Network and domain indicators are high-staleness for detection purposes. The most durable indicators are behavioral: the ELMER User-Agent string and the exploit chain pattern. Post-2015 APT16 reporting is sparse — the group has continued to operate under reduced public visibility, consistent with a pattern of retooling after public disclosure that is common across Chinese APT groups. The FireEye disclosure and Securelist CVE-2015-2545 analysis contain full hash and IOC sets for the 2015 campaigns.

indicators of compromise — 2015 campaign identifiers

ELMER C2 domain news.rinpocheinfo[.]com — primary APT16 attribution domain; ELMER beacon over port 443

ELMER C2 IP 121.127.249.74 — alternate ELMER variant C2; port 443

ELMER MD5 (variant 1) 6c33223db475f072119fe51a2437a542 — beacons to 121.127.249.74

ELMER MD5 (variant 2) 0b176111ef7ec98e651ffbabf9b35a18 — beacons to news.rinpocheinfo[.]com

ELMER user-agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) — hardcoded across documented ELMER variants; network detection signature

exploit chain EPS dict copy use-after-free (EPSIMP32.FLT) + CVE-2015-1701 (Win32k.sys privilege escalation) → SYSTEM-level code execution from malicious Word document

IRONHALO detection Trojan.IRONHALO.Downloader (FireEye); first-stage; fetches ELMER from compromised legitimate websites

spear-phishing subject lines "DPP's Contact Information Update"; "2015 Taiwan Security and Cultural Forum Invitation Form" (2015台灣安全文化論壇邀請函)

EPS exploit EPS string APT16 used the second variant of the CVE-2015-2545 EPS exploit; identified by "h:\test.txt" string present in EPS shellcode — consistent across EvilPost and APT16 use of this variant (Kaspersky Securelist)

full ioc reference FireEye — "The EPS Awakens Part 2" (Dec 2015); Kaspersky Securelist — "CVE-2015-2545: Overview of Current Threats"; MITRE ATT&CK G0023

Mitigation & Defense

Disable EPS Processing in Microsoft Office (Applicable to Current Environments): APT16's 2015 campaign exploited the Encapsulated PostScript (EPS) handling capability in Microsoft Office's EPSIMP32.FLT filter. While CVE-2015-2545 is long patched, EPS as an attack surface remains worth blocking: Microsoft officially disabled EPS processing in Office on April 11, 2017, in response to the sustained exploitation of this attack surface by multiple threat actors. If any legacy Office deployments remain in Japanese or Taiwanese organizations that have not been updated past 2017, disabling EPS processing via registry should be a priority: HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Word\Security, set DisableEPS to 1.
Alert on Anomalous User-Agent Strings in HTTPS Traffic: ELMER's hardcoded User-Agent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)" — mimicking Internet Explorer 7 on Windows XP SP1 — should be treated as a high-confidence malicious indicator in any modern enterprise network. No legitimate application in a current environment should be generating IE7/XP user-agent strings. Configure proxy and network monitoring systems to alert on this specific User-Agent in outbound HTTPS traffic. This detection approach is particularly robust because the hardcoding of this string across documented ELMER variants indicates it is unlikely to have been changed without significant retooling.
Awareness Training Specific to Political Timing Lures for Japanese and Taiwanese Organizations: APT16's lure documents are calibrated to moments of heightened political interest — election cycles, constitutional changes, security forums, party political events. Organizations operating in Japan and Taiwan should include specific training scenarios covering politically-timed spear-phishing: attachments arriving with subjects related to current electoral events, party political updates, or cultural security events should generate elevated caution even when they appear legitimate. The authentic-sounding Traditional Chinese subject lines ("2015台灣安全文化論壇邀請函") demonstrate that APT16 invests in culturally appropriate lure construction.
Block or Monitor Outbound Port 443 Connections to Non-Standard Servers: ELMER uses port 443 for C2 — a common technique for blending C2 traffic into legitimate HTTPS traffic. SSL/TLS inspection for outbound traffic, particularly from endpoints with recently installed applications or recently received email attachments, enables detection of ELMER beaconing despite the HTTPS wrapping. Certificate validation anomalies — such as self-signed certificates or certificates issued to domains inconsistent with legitimate business services — on port 443 outbound connections should generate alerts.
Patch Aggressively — Especially Silently Released Patches: The EPS vulnerability exploited in APT16's November–December 2015 campaign was silently patched on November 10, 2015 — and APT16 attacks began on November 26, just sixteen days later. The group exploited the window between patch release and widespread deployment. Organizations operating in Japan and Taiwan — APT16's exclusive target set — should treat Microsoft's Patch Tuesday updates as time-critical deployments, with particular urgency for silently released patches that may not generate the same awareness as named CVEs. A sixteen-day patching window is insufficient for organizations in APT16's target profile.

analyst note

APT16's narrow geographic and sectoral focus has an important implication for defenders: organizations in Japan and Taiwan that operate in media, government, high-tech, or financial services should treat APT16 as a near-certain persistent threat regardless of whether any specific APT16 campaign has been publicly disclosed against them. The group's documented targeting pattern — returning to the same media organization in June and December 2015, coordinating with other China-based groups to cover both Taiwan and Hong Kong simultaneously — reflects a sustained collection mandate rather than opportunistic targeting. Post-2015 reporting on APT16 is sparse in the public domain. This is consistent with a common pattern among Chinese APT groups: after public disclosure, the group pauses or reduces signature-generating activity, retools, and resumes under reduced visibility. The absence of post-2015 public reporting on APT16 does not indicate the group ceased operations — it is more consistent with retooling and continuation under new or modified infrastructure. The rinpocheinfo[.]com domain was the primary attribution anchor for the 2015 disclosure; subsequent infrastructure almost certainly uses different domain registration patterns. For Japanese and Taiwanese organizations in APT16's documented target sectors, the threat assessment remains active regardless of the sparse public IOC landscape.

Sources & Further Reading

— end of profile