apt27-emissary-panda

APT27 / Emissary Panda

Q: What is HyperBro?

HyperBro is a custom in-memory remote access trojan (RAT) closely associated with APT27. It functions as a persistent backdoor enabling remote command execution, screenshot capture, clipboard content theft, file manipulation, and Windows service modification. HyperBro is typically deployed via DLL sideloading, loading from a packed file (thumb.db or thumb.dat) into memory. It communicates with C2 servers over HTTPS using the URI /api/v2/ajax.

also known as: LuckyMouse Iron Tiger Bronze Union Budworm TG-3390 Linen Typhoon Earth Smilodon TEMP.Hippo Silk Typhoon

One of China's most prolific and long-running espionage groups — active since at least 2010 and confirmed operational through 2025. APT27 is characterized by sustained, long-term intelligence collection across government, defense, aerospace, energy, and technology targets globally. In March 2025, the US Department of Justice unsealed indictments against two APT27 operators — Yin Kecheng and Zhou Shuai — for campaigns spanning August 2013 through December 2024, including an intrusion into the US Department of the Treasury. A $2 million reward remains outstanding for information leading to their arrest.

attributed origin China

suspected sponsor Ministry of State Security (MSS) — PRC government and military clients

first observed ~2010 (documented 2012; indicted operations from August 2013)

primary motivation Espionage — long-term intelligence collection; secondary financial via data brokerage

primary targets Government, defense, aerospace, energy, technology, telecom, healthcare

known campaigns 15+ major attributed operations

mitre att&ck group G0027 (Threat Group-3390)

target regions Middle East, Europe, Central Asia, North America, Southeast Asia, globally

threat level CRITICAL

Overview

APT27 is a Chinese state-sponsored advanced persistent threat group first documented around 2012 and assessed to have been active since at least 2010. The group is tracked under more than a dozen aliases across the security industry — Emissary Panda (CrowdStrike), LuckyMouse (Kaspersky), Iron Tiger (Trend Micro), Budworm (Symantec), Bronze Union (SecureWorks), and TG-3390 being among the most widely recognized. MITRE ATT&CK formally catalogs the group as G0027 under the Threat Group-3390 designation. The group is assessed with high confidence to operate on behalf of China's Ministry of State Security.

APT27's defining characteristic is operational longevity and patience. The group is known to return to compromised networks roughly every three months to verify access, refresh credentials if access has lapsed, and identify new data of interest — a practice that enables multi-year persistence in high-value environments. CTU researchers noted that the group's goal is not disruption but selective exfiltration of high-value information, and it maintains this focus consistently across a remarkably varied target set spanning government agencies, defense contractors, aerospace, telecommunications, energy, healthcare, manufacturing, and financial institutions.

In March 2025, the US Department of Justice unsealed indictments against two APT27 members — Yin Kecheng and Zhou Shuai (known online as "Coldface") — charging them with conspiracy to commit computer intrusions for operations spanning August 2013 through December 2024. The charges allege that both individuals conducted unauthorized intrusions, deployed malware including PlugX, and brokered stolen data for sale to customers that included — but were not limited to — PRC government and military contacts. This commercial data brokerage activity, combined with i-Soon's documented hacker-for-hire structure (charging between $10,000 and $75,000 per compromised email inbox for MSS and MPS clients), confirms that APT27 operates at the intersection of state intelligence and financially motivated criminal activity.

A secondary characteristic — unusual for a primarily espionage-focused group — is APT27's documented but limited use of ransomware as an ancillary tool. Incidents in 2020 involved the Polar ransomware, deployed after years of persistent access to a media organization, with tooling and tradecraft (SysUpdate, HyperBro) consistent with prior APT27 intrusions. More recent incidents in European healthcare (2024) involved NailaoLocker ransomware alongside ShadowPad and PlugX — though researchers noted the ransomware lacked sophistication and may have functioned primarily as a distraction from data theft operations. Germany's domestic intelligence service (BfV) issued a public warning in July 2024 about APT27 targeting European entities with updated RSHELL malware variants.

Target Profile

APT27 has one of the broadest target profiles of any Chinese APT group, spanning multiple continents and a wide range of sectors. Targeting is consistent with Chinese military, economic, and geopolitical intelligence priorities.

Government and diplomatic: Foreign embassies, government ministries, and diplomatic communications are among the group's highest-priority targets. The 2024 US Treasury breach, and attributed targeting of foreign ministries in Taiwan, India, South Korea, and Indonesia, are consistent with this pattern.
Defense and aerospace: US defense contractors, military research organizations, and aerospace firms have been targeted since the group's early documented operations, with the exfiltration of trillions of bytes of sensitive data from defense contractors in the Iron Tiger campaign. European defense contractors have also been targeted.
Telecommunications: Major telecom operators have been compromised in campaigns — most notably the DeadRinger operation — to collect call detail records and enable communications intelligence collection from switching infrastructure.
Energy and critical infrastructure: Energy sector organizations and national data centers have been targeted, including a documented APT27 compromise of a Central Asian national data center used to enable country-level watering hole attacks on government visitors.
Technology and manufacturing: IT service providers, software companies, and industrial manufacturers are targeted both for the intelligence value of their data and as pathways to downstream supply chain compromise of their customers.
Healthcare and education: European healthcare organizations were targeted in 2024 NailaoLocker-linked intrusions. Universities have also been targeted, with the DOJ citing intellectual property theft from universities in its damage assessment of APT27 operations.
Religious and civil society organizations: At least one US-based religious organization critical of China's policies was targeted for data theft and surveillance — consistent with broader CCP intelligence priorities around monitoring overseas communities and dissidents.

Tactics, Techniques & Procedures

Documented TTPs based on MITRE ATT&CK G0027, Proofpoint/Symantec Budworm reports, Trend Micro Iron Tiger research, INTRINSEC incident analysis, the March 2025 DOJ indictment, and the dexpose.io APT27 profile aggregating incident responder findings.

mitre id	technique	description
T1190	Exploit Public-Facing Application	APT27 consistently exploits known vulnerabilities in internet-facing services as a primary initial access vector. Documented targets include Microsoft Exchange (ProxyLogon: CVE-2021-26855 and related; ProxyShell), SharePoint (CVE-2019-0604), Zoho ManageEngine ADSelfService Plus (CVE-2021-40539), Zoho ServiceDesk (CVE-2021-44077), Log4j (CVE-2021-44228, CVE-2021-45105), and BeyondTrust (CVE-2024-12356, CVE-2024-12686) in the 2024 Treasury breach. Apache Tomcat Log4j exploitation was used to deploy HyperBro via CyberArk Viewfinity DLL sideloading.
T1505.003	Web Shell	Web shells are deployed immediately upon gaining server access to establish persistent command execution. China Chopper and TwoFace are the most commonly observed shells. ASPXSpy web shells have been used for lateral movement. OWA-targeting custom backdoors with significant code similarity to prior Iron Tiger tooling have been observed in telecom intrusions.
T1574.002	DLL Sideloading	APT27's most consistent persistence technique across all documented periods. HyperBro is loaded via malicious DLL sideloading using legitimate signed executables — documented legitimate binaries abused include INISafeWebSSO (for SysUpdate), CyberArk Viewfinity, McAfee mcoemcpy.exe, and a renamed Google Updater executable (goopdate.dll). SysUpdate and Clambling are deployed through the same mechanism.
T1003.001	LSASS Memory Dumping	Credential harvesting from LSASS is a consistent post-exploitation step. Tools used include Mimikatz (including an internally developed variant called mim221 with custom credential dumping logic), SecretsDump, LaZagne, and generic PasswordDumper utilities. AdFind is used for Active Directory enumeration alongside credential harvesting.
T1021	Lateral Movement	Post-exploitation lateral movement uses a combination of harvested credentials, PsExec, WMI, and RDP. Chisel (a GoLang reverse SOCKS proxy renamed to veeamGues.exe) is used for network tunneling. IOX proxy/port-forwarding tool, Fast Reverse Proxy (FRP), and Fscan for internal network discovery have been documented in recent campaigns.
T1071.001	C2 over HTTPS	HyperBro communicates with C2 over HTTPS using the URI /api/v2/ajax on port 443, with a hardcoded Chrome user-agent string. SysUpdate communicates over HTTP and injects into svchost.exe. Clambling uses Dropbox as a C2 channel — an unusual legitimate cloud service abuse that complicates network-based detection. A Germany-attributed campaign used RSHELL malware with updated evasion.
T1070	Indicator Removal	APT27 disables Windows event logging to limit forensic visibility during intrusion activity. In ransomware-adjacent incidents, log clearing and shadow copy deletion were documented. The group returns to compromised networks approximately every three months to verify access and clean up artifacts — a long-term operational security practice designed to extend dwell time without triggering investigations.
T1195	Supply Chain Compromise	The 2024 US Treasury breach was enabled by compromising BeyondTrust, a trusted third-party remote support SaaS provider, and stealing a cryptographic key used to access Treasury workstations. This pattern of compromising trusted third-party service relationships to pivot to high-value targets has been documented in multiple APT27 campaigns.
T1078	Valid Accounts	APT27 operators routinely harvest and leverage valid credentials for persistence, reducing the need for custom tooling in post-exploitation lateral movement. The group specifically targets enterprise password management systems (Zoho ManageEngine ADSelfService Plus) to obtain credentials at scale from Active Directory.

Known Campaigns

Selected major operations spanning APT27's documented activity from 2015 through 2025.

Operation Iron Tiger — US Defense Contractor Exfiltration 2013–2015

Trend Micro's Iron Tiger report documented a sustained campaign against US government and defense contractor networks exfiltrating trillions of bytes of data including stolen emails, intellectual property, and strategic planning documents. The operation established the Iron Tiger attribution and linked the group's HyperBro and HttpBrowser toolchain to this cluster of activity. DOJ indictment documents place APT27 operator Yin Kecheng's earliest charged intrusion activity in August 2013, consistent with this operational timeframe.

Central Asian National Data Center Compromise — Country-Level Waterholing 2017

Kaspersky (LuckyMouse) documented a campaign in which APT27 compromised a Central Asian country's national data center to inject malicious JavaScript into government websites served by the data center, enabling a country-wide watering hole attack that delivered HyperBro to all government visitors. This operation demonstrated the group's strategic thinking — rather than targeting individual organizations, the compromise of shared infrastructure enabled simultaneous access to all government entities in the country.

Operation DeadRinger — Major Telecom Intrusions 2017–2021

Cybereason documented a cluster of intrusions against major telecommunications operators, one of which showed code similarity to APT27 (Iron Tiger) tooling including the OWA backdoor variants. The campaign targeted telecom switching infrastructure and call detail records — the intelligence collection equivalent of a passive tap on carrier networks. The intrusions persisted from at least 2017 through early 2021, representing sustained long-term access to carrier infrastructure.

APT27 Turns to Ransomware — Polar Deployment 2020

Incident responders traced a mass file encryption event at a media organization to an APT27 intrusion that began in early 2018 via a vulnerable perimeter server. Operators maintained access for over two years using China Chopper/TwoFace web shells, credential dumping, and SysUpdate and HyperBro for persistence, scanning for EternalBlue SMB vulnerabilities to expand access. In April 2020, the operators deployed Polar ransomware via a DLL-hijack chain using a legitimate GDFInstall.exe, clearing logs, deleting shadow copies, and encrypting files with .locked/.cryptd extensions. The use of SysUpdate and HyperBro was the key attribution indicator linking this to APT27.

ProxyLogon / Exchange-Based European Industrial Espionage 2021

HvS-Consulting documented multiple APT27 (Emissary Panda) intrusions against German commercial organizations exploiting the ProxyLogon Microsoft Exchange vulnerability (CVE-2021-26855 and related), delivering HyperBro as a persistent backdoor. The group deliberately acted like opportunistic attackers to suppress full incident response — a tactic that allowed it to pass initial triage at some organizations and complete the full APT kill chain, exfiltrating trade secrets undetected for months. The same period saw parallel exploitation of Zoho ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk (CVE-2021-44077) against at least nine organizations globally across defense, healthcare, energy, technology, and education.

Middle East Telecom & Asian Government Targeting — SysUpdate Linux Variant August 2023

Symantec (Budworm) documented APT27 intrusions against a Middle Eastern telecommunications organization and an Asian government entity, deploying a previously unseen variant of SysUpdate (inicore_v2.3.30.dll) via DLL sideloading using INISafeWebSSO. Both intrusions were observed in credential-harvesting phase only, suggesting early detection. The campaign confirmed the group's continued development of cross-platform tooling — a Linux-compatible SysUpdate variant had been documented in an earlier Trend Micro report, expanding the group's reach beyond Windows environments.

US Department of the Treasury Breach September – December 2024

APT27 operators breached the US Treasury Department via compromised virtual private servers that were used to exploit vulnerabilities in BeyondTrust's remote support SaaS platform (CVE-2024-12356, an unauthenticated RCE, and CVE-2024-12686, a command injection flaw). The attackers stole a BeyondTrust cryptographic key used to override security controls, gaining unauthorized remote access to Treasury Departmental Offices workstations and unclassified documents. The breach also extended to foreign ministry communications in Taiwan, India, South Korea, and Indonesia. The intrusion was disclosed December 8, 2024. The DOJ indictment unsealed March 5, 2025 formally attributed the breach to Yin Kecheng and Zhou Shuai of APT27.

Tools & Malware

APT27 uses a combination of proprietary custom malware and shared Chinese APT tooling. The group's signature tools — HyperBro and SysUpdate — are the primary attribution anchors across operations spanning a decade.

HyperBro: A custom in-memory remote access trojan (RAT) used by APT27 since at least 2017. Deployed via DLL sideloading (loading a packed binary file thumb.db or thumb.dat from a legitimate sideloaded DLL). Communicates with C2 over HTTPS using URI /api/v2/ajax on port 443. Capabilities include remote command execution, screenshot capture, clipboard content theft, file upload/download, Windows service manipulation, and registry editing. HyperBro is considered a signature APT27 tool and its presence is a strong attribution indicator.
SysUpdate (IronTaurus): A multi-stage custom malware family assessed to be unique to APT27. Delivered via DLL sideloading using legitimate applications (INISafeWebSSO, Google Updater). First stage installs persistence before loading SysUpdate Main, which injects into svchost.exe and communicates over HTTP. Highly modular — additional capability plugins can be loaded or removed to control the malware's visible footprint. A Linux-compatible variant was documented in 2021. Infections have been tracked across 45 countries.
Clambling: A custom backdoor with a unique command-and-control mechanism using Dropbox as a C2 channel. The use of a legitimate cloud service makes Clambling traffic harder to identify via network monitoring. Used alongside HyperBro and PlugX in Operation DRBControl and subsequent campaigns.
PlugX / Korplug: A widely shared backdoor used across Chinese APT groups. APT27 uses PlugX/Korplug alongside its proprietary tools. Documented in multiple campaigns including those involving DLL sideloading via Google Updater (goopdate.dll). Also referenced in the March 2025 DOJ indictment as a malware type deployed by Yin Kecheng and Zhou Shuai.
China Chopper / TwoFace: Web shells used for initial post-exploitation server access and command execution. China Chopper is a small, widely used web shell; TwoFace is a more sophisticated variant. Both have been consistently present across APT27 intrusions spanning multiple years.
ZxShell / Gh0st RAT: Older remote access tools associated with earlier APT27 campaigns and shared more broadly across Chinese APT groups. Still observed in some operations, particularly as secondary access mechanisms.
RSHELL: A malware family cited in the July 2024 Germany BfV alert as being used by APT27 in campaigns targeting European entities. Updated variants were shared with a YARA rule by the German domestic intelligence service.
Polar (ransomware): A ransomware payload deployed by APT27 in the 2020 media organization incident. Uses a DLL-hijack delivery chain (GDFInstall.exe loading GameuxInstallHelper.dll). Encrypts files with .locked/.cryptd extensions, clears logs, and deletes shadow copies. Assessed as an opportunistic monetization of persistent access rather than a primary group objective.

Indicators of Compromise

Select IOCs from Symantec Budworm research, INTRINSEC incident analysis, the March 2025 DOJ indictment, and dexpose.io APT27 profile aggregation. Individual IPs and hashes rotate across campaigns — behavioral indicators are more durable.

warning

APT27 campaigns span years, and many specific IOCs (IPs, C2 domains, hashes) are rotated regularly. Detection rules based on behavioral patterns — particularly DLL sideloading chains, HyperBro C2 URI patterns, and Chisel/FRP usage — provide more durable coverage than indicator-based blocklists alone.

indicators of compromise — apt27 / emissary panda

network — hyperbro c2 HTTPS POST to /api/v2/ajax on port 443 with user-agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36

network — hyperbro (older) HTTPS POST to /ajax on port 443 — earlier HyperBro variant C2 URI pattern

process — chisel proxy veeamGues.exe executing as a SOCKS5 proxy server on port 9080 — Chisel renamed to masquerade as Veeam backup agent

file — sysupdate inicore_v2.3.30.dll loaded via INISafeWebSSO.exe DLL sideloading — SysUpdate variant (August 2023 Budworm campaign)

cve — exchange CVE-2021-26855 (ProxyLogon — SSRF), CVE-2021-26857 (insecure deserialization), CVE-2021-26858, CVE-2021-27065 (post-auth arbitrary file write) — ProxyLogon chain for Exchange RCE

cve — zoho CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus — authentication bypass + RCE, CVSS 9.8); CVE-2021-44077 (Zoho ServiceDesk Plus — unauthenticated RCE)

cve — beyondtrust CVE-2024-12356 (BeyondTrust Remote Support — unauthenticated RCE); CVE-2024-12686 (command injection) — exploited in 2024 US Treasury breach

behavior — sideloading pattern Legitimate signed executable (INISafeWebSSO.exe, mcoemcpy.exe, goopdate.dll) loading malicious DLL from same directory — consistent APT27 persistence technique across all documented periods

behavior — polar ransomware GDFInstall.exe loading GameuxInstallHelper.dll → decrypting Sysurl.Hex → file encryption with .locked/.cryptd extensions + HTML ransom note + HTTP host-name beacon

note

Germany's BfV released a YARA rule for RSHELL variants used in European targeting in July 2024. Search for BfV RSHELL YARA rule in public threat intelligence repositories for current detection signatures. The Symantec Budworm report (August 2023) also contains SysUpdate file hashes and infrastructure IOCs from the Middle East/Asia campaigns.

Mitigation & Defense

Recommended controls for organizations in APT27's target profile — particularly government, defense, energy, and technology sectors.

Patch internet-facing services on an emergency timeline: APT27 rapidly exploits newly disclosed vulnerabilities in Exchange, SharePoint, VPN appliances, and enterprise software management tools. Organizations should treat any unpatched internet-facing server as a likely entry point and apply vendor patches as emergency priority — not on standard monthly cycles. Log4j, ProxyLogon, Zoho ManageEngine, and BeyondTrust vulnerabilities are all documented APT27 entry vectors.
Monitor for DLL sideloading in known-good binary directories: APT27's most consistent and durable persistence technique is DLL sideloading using legitimate signed executables. Endpoint detection rules should alert on unexpected DLL loads from the same directory as known legitimate executables — particularly INISafeWebSSO, McAfee executables, and Google Updater — and on any process spawning from those executables.
Detect and block Chisel and Fast Reverse Proxy: APT27 uses open-source tunneling tools (Chisel renamed to masquerade as legitimate processes like veeamGues.exe) to expose internal networks. Alert on SOCKS5 proxy server activity from endpoints, GoLang-compiled executables making outbound connections, and processes listening on atypical ports.
Alert on HyperBro C2 patterns: The HyperBro URI pattern (/api/v2/ajax, /ajax) combined with the specific Chrome 34 user-agent string is a reliable network detection indicator. Modern Chrome versions are 120+. Any internal system sending HTTPS traffic to an external server with a Chrome 34 user-agent is anomalous and should be investigated.
Audit and harden enterprise password management tools: Zoho ManageEngine products are documented APT27 targets specifically because they provide privileged access to Active Directory credentials at scale. Ensure all ManageEngine installations are fully patched, network-segmented, and access-controlled, and review audit logs for unusual API activity.
Audit third-party service relationships for implicit trust exploitation: The Treasury breach was enabled by compromising a trusted third-party SaaS provider (BeyondTrust) rather than targeting Treasury directly. Organizations should inventory all third-party services that have implicit elevated access to internal systems, apply least-privilege principles to those integrations, and monitor for anomalous use of service accounts and API keys.
Assume long dwell times and hunt proactively: APT27 is documented to return to compromised networks approximately every three months. Organizations that detect an intrusion and remediate one access path may still have additional undiscovered persistence mechanisms. Full compromise assessments — including memory forensics, full web shell sweeps, and review of all scheduled tasks and DLL sideloading opportunities — are essential to complete remediation.
Disable Windows event log clearing by non-privileged accounts: APT27 disables Windows event logging to limit forensic visibility. Alert on any process attempting to clear or disable Windows Security, System, or Application event logs — this activity is almost universally malicious in enterprise environments. Forward critical event logs to a remote SIEM immediately to prevent retroactive log manipulation from obscuring the intrusion timeline.

Frequently Asked Questions

What is APT27 / Emissary Panda?

APT27 (also known as Emissary Panda, LuckyMouse, Iron Tiger, and Budworm) is a Chinese state-sponsored advanced persistent threat group active since at least 2010. The group is MSS-affiliated and primarily conducts long-term intelligence collection against government, defense, aerospace, energy, and technology targets globally. In March 2025, the US Department of Justice indicted two APT27 operators — Yin Kecheng and Zhou Shuai — for campaigns spanning August 2013 through December 2024, including the intrusion into the US Department of the Treasury.

What is HyperBro?

HyperBro is a custom in-memory remote access trojan closely associated with APT27. It functions as a persistent backdoor enabling remote command execution, screenshot capture, clipboard content theft, file manipulation, and Windows service modification. HyperBro is typically deployed via DLL sideloading into a legitimate process, loading its payload from a packed file (thumb.db or thumb.dat) in memory. It communicates with C2 servers over HTTPS using the URI /api/v2/ajax. Its presence is considered a strong attribution indicator for APT27 activity.

What is SysUpdate?

SysUpdate is a multi-stage custom malware family assessed to be unique to APT27. Delivered via DLL sideloading using legitimate applications such as INISafeWebSSO, it comprises a first-stage installer and a second-stage payload (SysUpdate Main) that injects into svchost.exe. SysUpdate is highly modular — additional capability modules can be loaded or removed to control its visible footprint on compromised systems. A Linux-compatible variant was documented in 2021, and a 2023 update added new evasion techniques. Unit 42 tracked infections across 45 countries.

What was the US Treasury breach attributed to APT27?

APT27 operators breached the US Department of the Treasury between September and December 2024 via compromised virtual private servers, exploiting vulnerabilities in BeyondTrust's remote support SaaS platform (CVE-2024-12356 and CVE-2024-12686) to steal a cryptographic key. The stolen key allowed attackers to override BeyondTrust's security controls and gain unauthorized remote access to Treasury Departmental Offices workstations and unclassified documents. The breach was disclosed December 8, 2024, and formally attributed to APT27 in the March 5, 2025 DOJ indictment.

Who was indicted in connection with APT27?

On March 5, 2025, the US Department of Justice unsealed charges against 12 Chinese nationals as part of a broader i-Soon and APT27 indictment. Two individuals identified as APT27 members — Yin Kecheng and Zhou Shuai ("Coldface") — were charged with conspiracy to commit computer intrusions for campaigns spanning August 2013 through December 2024. The indictment alleges both brokered stolen data for sale to customers including PRC government and military contacts. A $2 million reward has been offered by the US State Department for information leading to their arrest. Both remain at large in China.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile