🇨🇳 CN17 malware families

APT17

Also known asAPT17ATG3aurora pandaBlackflybronze universitybronze_exportdeputy dogDeputyDoghidden lynxred typhoonta415Tailgatertg-3279tg-8153

APT17 is a China-linked threat actor, assessed in the provided content as MSS-linked and active since at least 2009. The content links APT17 to high-profile campaigns such as Operation Aurora and identifies aliases including APT17, ATG3, Aurora Panda, Blackfly, Bronze Export, Bronze University, DeputyDog / Deputy Dog, Hidden Lynx, Red Typhoon, TA415, Tailgater, TG-3279, and TG-8153. The content also notes reporting that Blackfly and Grayfly are used to distinguish cybercrime and cyberespionage activity respectively, and that ShadowPad is associated with APT41-nexus groups such as Blackfly, Grayfly, and Redfly. Based on the provided material, APT17 has been associated with spear-phishing activity, including reporting on TA415-attributed campaigns targeting U.S. government, think tank, and academic organizations using U.S.-China economic-themed lures. The content also states that APT17 created Microsoft TechNet profile pages used as command-and-control infrastructure. The content associates APT17 with BLACKCOFFEE malware, describing it as a hallmark of APT17, and states that ZoxRPC evolved into ZoxPNG, also known as BLACKCOFFEE, which MITRE ATT&CK attributed to APT17 and APT41. The material further identifies Zeng Xiaoyong as a central figure or member of APT17 and links him specifically to BLACKCOFFEE and to development of an MS08-067 exploit associated with ZoxPRC. The content highlights substantial overlap between APT17 and APT41 in malware, developer relationships, and social connections, but presents this as overlap and interconnectedness rather than a definitive merger. It also notes that some reporting previously associated Voldemort activity with TA415 or APT41, while other analysis assessed a distinct cluster. The content additionally states that Bronze Export has targeted the entertainment and video game industries since at least 2009, with moderate-confidence assessment that it is based in the People’s Republic of China and focused on collecting video game source code for cracking, cheating tools, or competing products.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Academia & Research
Software & Services
Materials
Insurance
Capital Goods

Where they target

Geographies tied to known operations.

🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

48 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics77 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

3 techniques

T1583

Acquire Infrastructure

T1583.006×2

Web Services

T1585

Establish Accounts

T1587

Develop Capabilities

T1587.001

Malware

TA0001

Initial Access

3 techniques

T1078

Valid Accounts

T1190×4

Exploit Public-Facing Application

T1566

Phishing

T1566.001×6

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

5 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.003×3

Windows Command Shell

T1059.006×2

Python

T1204

User Execution

T1204.002×4

Malicious File

T1569

System Services

T1569.002

Service Execution

T1574

Hijack Execution Flow

T1574.001×2

DLL

T1574.014×2

AppDomainManager

TA0003

Persistence

5 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1078

Valid Accounts

T1543

Create or Modify System Process

T1543.003×4

Windows Service

T1546

Event Triggered Execution

T1546.015

Component Object Model Hijacking

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

6 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1055×3

Process Injection

T1078

Valid Accounts

T1543

Create or Modify System Process

T1543.003×4

Windows Service

T1546

Event Triggered Execution

T1546.015

Component Object Model Hijacking

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0005

Stealth

7 techniques

T1027×4

Obfuscated Files or Information

T1036×3

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1055×3

Process Injection

T1078

Valid Accounts

T1140×2

Deobfuscate/Decode Files or Information

T1574

Hijack Execution Flow

T1574.001×2

DLL

T1574.014×2

AppDomainManager

T1620×2

Reflective Code Loading

TA0006

Credential Access

1 technique

T1649

Steal or Forge Authentication Certificates

TA0007

Discovery

3 techniques

T1033

System Owner/User Discovery

T1082×3

System Information Discovery

T1083×2

File and Directory Discovery

TA0008

Lateral Movement

2 techniques

T1021

Remote Services

T1021.004×3

SSH

T1210

Exploitation of Remote Services

TA0009

Collection

5 techniques

T1005

Data from Local System

T1074

Data Staged

T1113×4

Screen Capture

T1213

Data from Information Repositories

T1560×2

Archive Collected Data

T1560.001

Archive via Utility

TA0011

Command and Control

5 techniques

T1071

Application Layer Protocol

T1071.001×4

Web Protocols

T1071.002

File Transfer Protocols

T1071.004×3

DNS

T1102

Web Service

T1102.002×2

Bidirectional Communication

T1102.003

One-Way Communication

T1105×2

Ingress Tool Transfer

T1219×2

Remote Access Tools

T1573

Encrypted Channel

TA0010

Exfiltration

2 techniques

T1020

Automated Exfiltration

T1041×4

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

17 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Cobalt StrikeResearchers at Check Point said the group has been active since mid-2024... deploy Cobalt Strike beacons for remote access.5Mar 6, 2026

GearDoor"...Silver Dragon deployed GearDoor, a new backdoor which leverages Google Drive as its command-and-control (C2) channel..."4Mar 7, 2026

SSHcmd"...deployed two additional custom tools: SSHcmd, a command-line utility that functions as a wrapper for SSH to facilitate remote access..."4Mar 7, 2026

VoldemortFollowing multiple phishing campaigns resulting in the delivery of the Voldemort backdoor in August 2024, Proofpoint observed TA415 shift tactics, techniques and procedures (TTPs) and adopt the use of VS Code Remote Tunnels.3May 31, 2026

BamboLoader"...a phishing campaign with a malicious LNK file as an attachment, a tactic linked to Silver Dragon based on the use of similar loaders, which the researchers collectively call 'BamboLoader.'"2Mar 4, 2026

12 additional families tracked in Mallory.

IOCS

Observables

44 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

44 IOCsView more in app

hash.sha256

23 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+15

Domains

10 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+2

uri

8 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

Email addresses

2 total

••••@•••••.••••••••@••••••.•••

ip.v4

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

ctoatncsc substackNews

Mar 7, 2026

CTO at NCSC Summary: week ending March 8th

Referenced as the broader China-nexus umbrella under which Silver Dragon likely operates.

scworldNews

Mar 5, 2026

New China-linked cyberespionage campaign exploits Windows, Google Drive | brief | SC Media

Referenced as the broader umbrella under which Silver Dragon is believed to operate; associated here with China-linked cyberespionage activity targeting government/public sector.

govinfosecurityNews

Mar 5, 2026

Breach Roundup: Patches and Hacks on Cisco Equipment

Referenced as an established Chinese espionage ecosystem that Silver Dragon’s activity overlaps with; no direct APT41 operation details are provided beyond the linkage/overlap claim.

csis chinese espionageNews

Mar 5, 2026

Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS

China-linked espionage and financially motivated operations: collection from telecom, healthcare, semiconductor manufacturing, and machine learning organizations, plus virtual currency theft.

+185 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping48

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal17

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables44

Domains, IPs, and hashes tied to this actor, refreshed continuously.