bronze-starlight

Bronze Starlight

also known as: Cinnamon Tempest DEV-0401 Emperor Dragonfly

Bronze Starlight is a China-linked intrusion cluster publicly tied to multi-family ransomware operations and to activity that blends rapid exploitation, hands-on-keyboard access, and post-compromise tooling commonly associated with Chinese intrusion tradecraft. The cluster matters because it appears to use ransomware both for extortion and, in some cases, as a possible cover mechanism for broader access and intelligence objectives.

attributed origin China

suspected sponsor China Foreign Intelligence Service (SVR) attribution overlap

first observed 2021

primary motivation Espionage / extortion / IP theft

primary targets Manufacturing, financial services, legal, government, technology

known campaigns Multiple public ransomware clusters

mitre att&ck group G1021 (Cinnamon Tempest)

target regions North America, Asia, Europe

threat level high

Overview

Bronze Starlight is the Secureworks/Sophos tracking name for a China-linked intrusion cluster that MITRE ATT&CK maps to Cinnamon Tempest (G1021), with associated aliases including DEV-0401 and Emperor Dragonfly. Public reporting describes a group active since at least 2021 that repeatedly rotates ransomware brands, rapidly exploits internet-facing systems, and in some cases appears to use extortion activity as a smokescreen for theft of intellectual property or broader espionage objectives.

What makes Bronze Starlight analytically important is not just the ransomware itself, but the surrounding tradecraft: direct exploitation instead of affiliate-style access purchases, reuse of China-associated tooling such as HUI Loader and PlugX, and repeated short-lifecycle ransomware families including LockFile, AtomSilo, Rook, Night Sky, Pandora, and later Cheerscrypt-linked activity. That combination places the cluster at the intersection of cybercrime, state-aligned access operations, and espionage-motivated intrusion behavior.

Target Profile

Victimology and tooling point to a cluster that does not behave like a conventional ransomware affiliate program. Reporting ties Bronze Starlight activity to organizations across multiple sectors, with especially strong concern around victims whose networks or data have intelligence or intellectual-property value.

Manufacturing and engineering: Secureworks reporting highlighted victims consistent with intellectual-property-driven targeting, making industrial and engineering environments especially relevant.
Financial services and legal sectors: Public reporting on LockFile-era and later activity identified victims in these sectors, suggesting broad but still selective enterprise targeting.
Government and high-value enterprise networks: MITRE and multiple vendor reports describe exploitation of exposed enterprise infrastructure and post-compromise operations that fit strategic access goals beyond simple smash-and-grab extortion.

Tactics, Techniques & Procedures

Documented TTPs show an operator that favors direct exploitation of public-facing systems, commodity-plus-custom post-exploitation, and rapid switching between ransomware brands. The table below focuses on ATT&CK techniques and behaviors publicly associated with Bronze Starlight / Cinnamon Tempest.

mitre id	technique	description
T1190	Exploit Public-Facing Application	Public reporting ties the group to exploitation of unpatched internet-facing software including VMware Horizon, Confluence, Microsoft Exchange, and ManageEngine ADSelfService Plus.
T1059.001	PowerShell	PowerShell has been used for reconnaissance, command execution, and communication with command-and-control infrastructure during post-compromise operations.
T1484.001	Group Policy Modification	Microsoft reported use of Group Policy to deploy batch scripts for ransomware deployment across victim environments.
T1543.003	Create or Modify System Process: Windows Service	Sygnia and MITRE-associated reporting note the use of Windows services to establish persistence for deployed tooling.
T1567.002	Exfiltration to Cloud Storage	ATT&CK cites the use of Alibaba Cloud Object Storage Service for exfiltrating captured keystroke logs in Bronze Starlight-associated activity.
T1486	Data Encrypted for Impact	The cluster repeatedly deployed short-lived ransomware families derived from or influenced by leaked Babuk code, including LockFile, AtomSilo, Rook, Night Sky, Pandora, and Cheerscrypt-linked payloads.

Known Campaigns

Bronze Starlight is best understood through recurring intrusion clusters rather than one single branded campaign. Public reporting shows a pattern of rapidly changing ransomware families, repeated exploitation of exposed enterprise software, and sustained hands-on-keyboard activity before encryption.

LockFile / AtomSilo / Rook Operations 2021

Secureworks linked Bronze Starlight to a sequence of short-lived ransomware families including LockFile, AtomSilo, and Rook, assessing that some incidents may have used ransomware as cover for intellectual property theft or espionage rather than purely for revenue.

Night Sky Following Log4Shell / Horizon Exploitation 2021-2022

Microsoft reported that exploitation of CVE-2021-44228 against VMware Horizon led to Night Sky ransomware deployment by DEV-0401. Microsoft also linked the same operator to exploitation of Confluence and on-premises Exchange vulnerabilities.

Cheerscrypt and Emperor Dragonfly Rebranding 2022

Sygnia concluded that Cheerscrypt and Night Sky were rebrands of a single ransomware group it named Emperor Dragonfly, also known as DEV-0401 and Bronze Starlight. In the investigated intrusion, the actor maintained access for months and encrypted both Windows and ESXi systems.

Tools & Malware

Public reporting links Bronze Starlight to a mix of Chinese intrusion tooling, common post-exploitation frameworks, and a rotating set of ransomware payloads.

HUI Loader: A loader repeatedly cited by Sophos in Bronze Starlight intrusions and one of the stronger indicators of Chinese tradecraft overlap.
PlugX and Cobalt Strike: Used for command and control, follow-on execution, and interactive intrusion activity after initial compromise.
Ransomware families: LockFile, AtomSilo, Rook, Night Sky, Pandora, and Cheerscrypt-linked payloads have all been associated with this cluster or its closely related aliases.
Impacket and scripted deployment: Reporting also notes use of Impacket tooling, batch scripts, and Group Policy-based ransomware deployment.

Mitigation & Defense

Because Bronze Starlight frequently gains access by exploiting internet-facing software and then pivots into hands-on-keyboard deployment, defensive strategy should emphasize external attack surface reduction, rapid exploitation detection, and controls that make broad ransomware rollout materially harder.

Prioritize external patching: Aggressively patch or isolate VMware Horizon, Exchange, Confluence, ManageEngine, and other public-facing systems with a history of exploitation by this cluster.
Monitor post-exploitation tooling: Hunt for HUI Loader, PlugX, Cobalt Strike, Impacket execution, suspicious PowerShell, and service creation shortly after exploitation events.
Constrain enterprise-wide deployment paths: Alert on unusual Group Policy changes, emergency batch-script rollouts, mass scheduled task creation, and high-volume file encryption activity affecting Windows and ESXi environments.

note

Bronze Starlight is best treated as an alias cluster rather than a universally standardized standalone name. MITRE ATT&CK currently uses Cinnamon Tempest (G1021) as the canonical group entry and lists DEV-0401, Emperor Dragonfly, and BRONZE STARLIGHT as associated group names, so it is useful to show the alias mapping clearly in operational content.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile