Skip to main content
Mallory
Back to threat actors
China48 malware familiesExploits CVEs in the wild

Ke3chang

Also known asAPT15blacksuitbronze_davenportbronze_idlewoodbronze_palacefleag0004GREFke3changmetushyMirageNICKELNylon TyphoonPlayful Dragonplayful_taurusred_vultureRedRiverroyalroyal_aptroyal_ransomwareroyal_ransomware_gangroyal_ransomware_groupRoyalAPTsocial_network_teamVIXEN PANDA

Ke3chang is a China-aligned cyber espionage threat actor. The provided content associates Ke3chang with the aliases APT15, Nickel, Nylon Typhoon, Flea, Mirage, Playful Dragon, Playful Taurus, RoyalAPT, Vixen Panda, GREF, Metushy, Red Vulture, and Social Network Team. The content also notes reporting that BadBazaar was attributed by Lookout to APT15, but separately states that attribution should be limited to GREF and that a link between GREF and APT15 could not be confirmed, indicating aliasing in this area is not fully resolved. Based on the content, Ke3chang has targeted at least a Canadian mining company in 2021. Its tradecraft includes persistence via Registry Run keys and batch scripts; process discovery using tasklist; command execution through the Windows command-line interface; collection of system language ID from compromised machines; use of credential theft tooling such as Mimikatz; gathering of information and files from local directories for exfiltration; and transfer of compressed and encrypted RAR archives over an established backdoor command-and-control channel. The actor has also dropped malware into legitimate installed software paths, including under Realtek, Foxit Reader, Adobe Flash Player, and Adobe Acrobat Reader directories.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

60 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

15 of 15 tactics91 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
3 techniques
T1591
Gather Victim Org Information
T1595
Active Scanning
T1598
Phishing for Information
T1598.004×2
Spearphishing Voice
TA0042
Resource Development
4 techniques
T1583
Acquire Infrastructure
T1587
Develop Capabilities
T1587.001×2
Malware
T1588
Obtain Capabilities
T1588.002
Tool
T1608
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
4 techniques
T1078×3
Valid Accounts
T1078.004×2
Cloud Accounts
T1133
External Remote Services
T1189
Drive-by Compromise
T1566
Phishing
T1566.003
Spearphishing via Service
T1566.004
Spearphishing Voice
TA0002
Execution
5 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059×5
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.003×5
Windows Command Shell
T1129
Shared Modules
T1203
Exploitation for Client Execution
T1204
User Execution
T1204.002
Malicious File
TA0003
Persistence
8 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1078×3
Valid Accounts
T1078.004×2
Cloud Accounts
T1112
Modify Registry
T1133
External Remote Services
T1136×2
Create Account
T1505
Server Software Component
T1505.003
Web Shell
T1543
Create or Modify System Process
T1543.001
Launch Agent
T1547
Boot or Logon Autostart Execution
T1547.001×3
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
5 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1078×3
Valid Accounts
T1078.004×2
Cloud Accounts
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1543
Create or Modify System Process
T1543.001
Launch Agent
T1547
Boot or Logon Autostart Execution
T1547.001×3
Registry Run Keys / Startup Folder
TA0005
Stealth
4 techniques
T1027
Obfuscated Files or Information
T1036
Masquerading
T1036.005
Match Legitimate Resource Name or Location
T1070
Indicator Removal
T1070.004
File Deletion
T1078×3
Valid Accounts
T1078.004×2
Cloud Accounts
TA0112
Defense Impairment
2 techniques
T1112
Modify Registry
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0006
Credential Access
3 techniques
T1003×2
OS Credential Dumping
T1056
Input Capture
T1056.001
Keylogging
T1187
Forced Authentication
TA0007
Discovery
8 techniques
T1016
System Network Configuration Discovery
T1018
Remote System Discovery
T1033
System Owner/User Discovery
T1046
Network Service Discovery
T1057
Process Discovery
T1082
System Information Discovery
T1083
File and Directory Discovery
T1614
System Location Discovery
T1614.001×2
System Language Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001
Remote Desktop Protocol
T1021.002×2
SMB/Windows Admin Shares
TA0009
Collection
4 techniques
T1005×2
Data from Local System
T1056
Input Capture
T1056.001
Keylogging
T1113
Screen Capture
T1560×3
Archive Collected Data
TA0011
Command and Control
4 techniques
T1071×4
Application Layer Protocol
T1071.001
Web Protocols
T1102
Web Service
T1105×3
Ingress Tool Transfer
T1219
Remote Access Tools
TA0010
Exfiltration
2 techniques
T1041×3
Exfiltration Over C2 Channel
T1567×2
Exfiltration Over Web Service
TA0040
Impact
2 techniques
T1486×10
Data Encrypted for Impact
T1657×2
Financial Theft
ARSENAL

Associated malware families

48 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
MimikatzAPT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.5May 26, 2026
BADBAZAARThe malicious code found in these apps is attributed to the BadBazaar malware family, which has been used in the past by a China-aligned APT group called GREF.4May 31, 2026
ShadowPad"...led to the deployment of ShadowPad that's obfuscated using ScatterBrain."4Mar 18, 2026
BS2005BS2005/Ketrican/Graphican (one family with minor differences in functionality between members)... This matches the capabilities of the BS2005 malware family used by the Ke3chang actor.3May 26, 2026
GOREshell...employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell.3Mar 18, 2026

43 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

15 CVEs this actor has used in observed campaigns. 15 of them exploited in the wild.

CVE-2010-0806Microsoft Internet Explorer Peer Objects Use-After-Free RCEIn the wildEvidence2

GREF was particularly active in the 2010 then it used different 0-day exploits, including CVE-2010-0806, CVE-2010-1297 and CVE-2010-2884 in its attacks.

CVE-2024-8190OS Command Injection RCE in Ivanti Cloud Services ApplianceIn the wildEvidence2

The intruders gained initial access by chaining two critical Ivanti bugs, CVE-2024-8963 and CVE-2024-8190, days before they were publicly disclosed.

CVE-2024-8963Path Traversal in Ivanti Cloud Services ApplianceIn the wildEvidence2

The intruders gained initial access by chaining two critical Ivanti bugs, CVE-2024-8963 and CVE-2024-8190, days before they were publicly disclosed.

CVE-2010-1297Adobe Flash Player AVM2 newfunction Memory Corruption RCEIn the wildEvidence1

GREF was particularly active in the 2010 then it used different 0-day exploits, including CVE-2010-0806, CVE-2010-1297 and CVE-2010-2884 in its attacks.

CVE-2010-2884Memory corruption in Adobe Flash Player and authplay.dllIn the wildEvidence1

GREF was particularly active in the 2010 then it used different 0-day exploits, including CVE-2010-0806, CVE-2010-1297 and CVE-2010-2884 in its attacks.

10 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

92 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

92 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
security online infoNews
Jun 4, 2026
Microsoft Teams Vishing Attack Drops Nimbus RAT

Referenced as an affiliate ecosystem previously associated with Nimbus RAT activity; in this content, the group is linked indirectly through prior documentation rather than identified as the actor conducting the current campaign.

Read more
esentire blogNews
May 28, 2026
Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT | eSentire

Associated with affiliate activity using Nimbus RAT in social-engineering intrusions involving Microsoft Teams vishing and remote access.

Read more
dark readingNews
May 28, 2026
As Global Powers Explore Humanoid Robots, Cyber-Risk Looms

Chinese cyberespionage activity targeting the mining sector, including a Canadian mining company, in support of strategic interest in critical minerals and embodied AI supply chains.

Read more
security affairsNews
May 21, 2026
U.S. CISA adds Microsoft and Adobe flaws to its Known Exploited Vulnerabilities catalog

Exploited CVE-2010-0806 as a zero-day in targeted attacks.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping60

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal48

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs15

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables92

Domains, IPs, and hashes tied to this actor, refreshed continuously.