BlackTech

BlackTech is a China-linked espionage threat actor active since at least 2010. Reported aliases include APT24, Canary Typhoon, Circuit Panda, Palmerworm, and Pitty Panda. U.S. and Japanese government agencies attributed router-focused intrusions in the United States and Japan to BlackTech and described the group as tied to the government of China. Taiwan’s National Security Bureau also named BlackTech among Chinese threat groups involved in sustained cyber activity targeting Taiwan’s critical infrastructure and other sectors. BlackTech has targeted government and private-sector organizations, including industrial, technology, media, electronics, and telecommunications entities, and reporting also notes attacks against Japanese companies. Taiwan NSB reporting associates BlackTech with activity affecting energy, healthcare, communications and transmission, administration and agencies, and technology sectors. Observed tradecraft includes spearphishing emails with malicious documents and password-protected ZIP or RAR archives, use of malicious files for execution, exploitation of public-facing applications, and SSH-related lateral movement. BlackTech has exploited CVE-2017-7269, a buffer overflow vulnerability in Microsoft IIS 6.0, to establish a new HTTP or command-and-control server. Government reporting states the group exploits routers, modifies router firmware for persistence, disables logging, abuses trusted network relationships, and pivots from branch offices or subsidiaries into broader corporate and headquarters networks. BlackTech has also used stolen code-signing certificates and custom malware to evade detection. Tools and malware explicitly associated with BlackTech in the provided content include PuTTY, SNScan, PsExec, and malware families such as Flagpro, BendyBear, Bifrose, BTSDoor, FakeDead, TSCookie, FrontShell, IconDown, PLEAD, SpiderPig, SpiderSpring, SpiderStack, and WaterBear.