GroundPeony
GroundPeony is a suspected China-linked espionage threat actor described as targeting organizations in Taiwan, Hong Kong, South Korea, Nepal, and India, including government agencies, educational and research institutions, and telecommunications operators. Reporting in the provided content links GroundPeony to Mofu Loader and to DLL side-loading infection chains. Researchers found that GroundPeony and the cluster tracked as Ratel Master share strong technical overlap in their use of Mofu Loader, including use of the same legitimate notifu.exe for DLL side-loading, execution via VerQueryValueW, the same API hashing logic, the same custom XOR routine, and the same XOR plus LZNT1 payload unpacking pattern with the PE header magic removed from the second-stage payload. The content also states that a domain used as HemiGate C2, onedrivo[.]com, matched a domain previously used by GroundPeony. Based on shared malware code, loaders, and infrastructure, the cited researchers assessed likely cooperation, shared developers, or source-code sharing among GroundPeony, Ratel Master, and Earth Estries, also referred to as FamousSparrow. Separately, Bitdefender reported that Mofu Loader, previously attributed to GroundPeony, was used in an unsuccessful attempt to deploy TernDoor during a 2025-2026 intrusion attributed to FamousSparrow/UAT-9244.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
- Academia & Research
- Telecommunication Services
Where they target
Geographies tied to known operations.
- 🇹🇼 Taiwan
- 🇭🇰 Hong Kong SAR China
- 🇰🇷 South Korea
- 🇳🇵 Nepal
- 🇮🇳 India
Tradecraft
6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Observables
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced because Mofu Loader had previously been attributed to this group; no direct role in the Azerbaijani intrusion is stated.
Cyberespionage activity targeting government, education/research, and telecommunications organizations in Taiwan, Hong Kong, South Korea, Nepal, and India. The content links GroundPeony to micDown and use of Mofu Loader, and notes infrastructure overlap with Earth Estries plus loader overlap with Ratel Master.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.