2 malware families

TA410

Also known asTA410

TA410 is a China-nexus cyberespionage threat actor, described as an umbrella group loosely linked to APT10 but tracked as a distinct entity. Known aliases mentioned in the content include Witchetty. Reporting cited in the content associates TA410 with sustained espionage activity targeting the U.S. utilities sector, Middle Eastern governments, and Japanese organizations. Proofpoint attributed both the LookBack and FlowCloud malware campaigns observed between July and November 2019 to TA410 based on shared attachment macros, malware installation techniques, and overlapping delivery infrastructure. In those campaigns, TA410 targeted U.S. utility providers with phishing lures themed around energy training and certification, impersonating organizations such as ASCE, NCEES, and Global Energy Certification. In some cases, both malware families targeted the same companies and recipients. TA410 shifted FlowCloud delivery from PE attachments to malicious Word documents with macros that mirrored LookBack tradecraft, including handling .pem files, renaming payloads, use of certutil-related execution, and overlapping staging infrastructure. FlowCloud, attributed in the content to TA410 activity, is a modular C++ remote access trojan providing broad system access, including files, processes, services, screen, keyboard, mouse, clipboard, and data exfiltration. The malware used legitimate and imitation QQ components during execution, stored configuration and keylogger data in registry keys, and communicated with command-and-control infrastructure using a custom encrypted binary protocol. Proofpoint assessed FlowCloud may have been active since at least 2016. The content also states that ESET reported an XLL stage in TA410 activity in 2020. Cisco Talos describes TA410 as a cyberespionage umbrella group loosely linked to APT10 and cites a TA410-related process injection DLL, onkeytoken_keb.dll, that exports xlAutoOpen but triggers injection via the exported function OnKeyT_ContextInit. Additional reporting in the content notes TA410 notably targeted Japanese organizations with FlowCloud. While the content notes overlaps between TA410 and APT10/TA429 tactics or infrastructure, it explicitly states TA410 is tracked as a distinct entity and that some overlaps may reflect shared tooling, infrastructure, or possible false-flag reuse rather than direct attribution to APT10.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Utilities

Where they target

Geographies tied to known operations.

🇺🇸 United States

MITRE ATT&CK

Tradecraft

14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics25 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.001

Spearphishing Attachment

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.005

Visual Basic

T1204

User Execution

T1204.002

Malicious File

TA0003

Persistence

2 techniques

T1112

Modify Registry

T1543

Create or Modify System Process

T1543.003

Windows Service

TA0004

Privilege Escalation

2 techniques

T1055

Process Injection

T1543

Create or Modify System Process

T1543.003

Windows Service

TA0005

Stealth

3 techniques

T1036

Masquerading

T1055

Process Injection

T1218

System Binary Proxy Execution

T1218.010

Regsvr32

TA0112

Defense Impairment

1 technique

T1112

Modify Registry

TA0006

Credential Access

1 technique

T1056

Input Capture

T1056.001

Keylogging

TA0009

Collection

1 technique

T1056

Input Capture

T1056.001

Keylogging

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1105

Ingress Tool Transfer

T1219

Remote Access Tools

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

FlowCloudProofpoint researchers identified a new, additional malware family named FlowCloud that was also being delivered to U.S. utilities providers. FlowCloud malware, like LookBack, gives attackers complete control over a compromised system.1May 25, 2026

LookBackProofpoint researchers reported that LookBack malware was targeting the United States (U.S.) utilities sector between July and August 2019... both LookBack and FlowCloud malware can be attributed to a single threat actor we are calling TA410.1May 25, 2026

IOCS

Observables

35 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

35 IOCsView more in app

hash.sha256

15 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+7

Domains

12 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+4

ip.v4

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

uri

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

sekoia blogNews

Sep 7, 2023

My Tea’s not cold. An overview of China’s cyber threat

TA410 is a China-nexus threat actor known for targeting government and public sector organizations, especially in Japan, using custom malware and supply chain attacks.

sentinelone labsNews

Aug 17, 2023

Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector

TA410 is a Chinese cyberespionage group related to APT10, known for targeting US utilities and Middle Eastern governments. It has used HUI Loader variants and shares operational TTPs with other Chinese APTs.

talos intelligence blogNews

Dec 20, 2022

Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins

Cyberespionage activity leveraging an XLL stage within a broader toolkit; includes a process-injection DLL component referenced in the report.

talos intelligence blogNews

Dec 20, 2022

Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins

Cyber-espionage activity cluster; in this context, incorporates an XLL-related component within a broader toolkit, including a process-injection DLL that includes an xlAutoOpen export (though execution is triggered via another export).

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping14

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables35

Domains, IPs, and hashes tied to this actor, refreshed continuously.