menuPass

menuPass is a China-linked cyber espionage threat actor tracked since at least 2009 and widely known as APT10. Reported aliases in the provided content include Aeon, Bronze Riverside, ChChes, Cicada, CVNX, Foxmail, Foxtrot, Golem, Haymaker, Hogfish, LiveSafe, MenuPass, Potassium, Purple Typhoon, Red Apollo, Stone Panda, and Webmonder. The content identifies the group as China-based and cites U.S. Government attribution of related activity to Chinese cyber actors associated with the Ministry of State Security; separate reporting in the content discusses possible links between STONE PANDA/APT10 and the MSS Tianjin Bureau, though not all such claims were independently confirmed. The group has conducted long-running espionage operations against construction, engineering, aerospace, telecommunications, government, healthcare, technology, communications, critical manufacturing, and managed service provider / IT service provider targets. Reported victim geography includes the United States, Europe, Japan, India, Northern Europe, South America, and at least 12 countries overall. The content states that APT10 targeted Japanese organizations and government departments, compromised multiple global and U.S. IT service providers and their customers, and used service-provider access as a foothold into downstream victims in Operation Cloud Hopper. Tradecraft described in the content includes spearphishing with malicious Office documents, executables disguised as documents, ZIP attachments, .lnk files in archives, double-extension files, and malicious macros. menuPass/APT10 used macros to execute files, certutil to decode Base64-encoded content, PowerShell and PowerSploit for execution and shellcode injection, command-line and reverse shell execution, WMI and modified wmiexec.vbs for remote command execution, and atexec.py via Task Scheduler. The group used and modified open-source tools including Impacket, Mimikatz, pwdump, QuasarRAT, PowerSploit, and repurposed administrative tools. Reported defense evasion and anti-forensics behaviors include changing malicious files to appear legitimate, Base64 and single-byte XOR string obfuscation, DLL side-loading, in-memory malware, use of stolen certificates, and deletion of decoded/decompressed files by macros. Malware and tooling directly associated in the content include EvilGrab, ChChes, RedLeaves, Poison Ivy, PlugX/SOGU, QuasarRAT, HAYMAKER, SNUGRIDE, BUGJUICE, and REDLEAVES. The content describes tactical malware for initial footholds and sustained malware for long-term persistence, with retooling from mid-2016 onward through internal development and modification of open-source code. menuPass/APT10 has been reported collecting files from compromised computers, staging data prior to exfiltration in multipart archives often saved in the Recycle Bin, and staging data on remote MSP systems or other victim networks before exfiltration. FireEye reporting in the content also notes routing SOGU command-and-control traffic through a victim service provider's infrastructure to mask command-and-control and exfiltration traffic.