🇨🇳 CN1 malware familyExploits CVEs in the wild

Mikroceen

Also known asMikroceen

Mikroceen is an advanced persistent threat group identified by ESET as one of multiple actors exploiting the Microsoft Exchange ProxyLogon vulnerabilities in early 2021. In the provided reporting, Mikroceen is also referred to as Vicious Panda. The group was observed compromising the Exchange server of a utility company in Central Asia, which the reporting notes is a region it typically targets. The broader Exchange exploitation activity involved deployment of web shells on unpatched on-premises Exchange servers, and the specific mention of Mikroceen states that the group injected versions of Mimikatz. The content places Mikroceen among the set of likely Chinese or Chinese-backed groups observed exploiting these Exchange flaws, but does not provide additional high-confidence detail on its tooling, sub-groups, or operations beyond the Central Asia utility-sector intrusion.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Utilities

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Mimikatz"...installed a variety of Mimikatz malware, which is used as a post-exploitation tool to steal passwords from memory..."1Mar 18, 2026

WEAPONIZED

Associated vulnerabilities

4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.

CVE-2021-26855ProxyLogon SSRF in Microsoft Exchange ServerIn the wildEvidence1

Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 ... Security firm Volexity spotted hackers targeting Exchange servers on Jan. 3, when it saw CVE-2021-26855 being exploited.

CVE-2021-26857Microsoft Exchange Unified Messaging insecure deserialization RCEIn the wildEvidence1

Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065

CVE-2021-26858Microsoft Exchange Server post-auth arbitrary file write (ProxyLogon)In the wildEvidence1

Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065

CVE-2021-27065ProxyLogon post-auth arbitrary file write in Microsoft Exchange ServerIn the wildEvidence1

Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

bank info securityNews

Mar 11, 2021

Microsoft Exchange: At Least 10 APT Groups Exploiting Flaws

Post-patch exploitation of Exchange vulnerabilities against a Central Asian utility; deployed Mimikatz variants for credential theft.

bleeping computerNews

Mar 10, 2021

More hacking groups join Microsoft Exchange attack frenzy

Compromised a utility company's Exchange server in Central Asia as part of the ProxyLogon exploitation activity.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.