Threat Emulation: APT27


Welcome to the April 2023 SCYTHE #ThreatThursday! This edition features an emulation based on APT27.

Executive Summary

APT27, also known as EmissaryPanda, is a state-sponsored group believed to be operating out of China, potentially under the direction of the People’s Liberation Army. This group is known for extensively using watering hole and spear-phishing attacks to target its victims. Active since at least 2010, APT27 leverages custom malware and exploits multiple vulnerabilities to achieve its objectives. Given this group is currently active and has already shown advanced capabilities by continuously updating its tactics, techniques, and procedures researchers recommend organizations stay alert and proactively track this threat group.

Cyber Threat Intelligence


APT27 often uses spear-fishing or exploits vulnerable web applications to achieve initial access. It appears to operate as part of a larger syndicate of Chinese sponsored cyber espionage groups known as TiltedTemple (APT27, APT30, APT31, and GALLIUM). Traditionally, APT27 appears to focus their efforts on cyber espionage but in recent years have expanded their tactics toward financially motivated cybercrime. This threat actor uses a combination of custom malware, malware that appears to be shared amongst other Chinese sponsored groups, and publically available open source software. Well known malware such as Gh0st RAT, PLugX, SysUpdate, and HyperBro have all been strongly linked to APT27. With regular updates and maintenance of their toolset, APT27 has been able to adapt quickly and bypass traditional security detections.


  • EmissaryPanda
  • LuckyMouse
  • Iron Tiger
  • Mustang Panda


Known sectors of interest include defense contractors, aerospace, telecommunication, energy, manufacturing, technology, education, and governmental organizations. Target regions include much of Asia - particularly Taiwan, North and South America, and the Middle East.

This threat actor is also known for exploiting internet facing applications to gain initial access (specifically MySQL, Microsoft SharePoint, Apache Zookeeper, and Microsoft Exchange servers).


  • Cyber Espionage
  • Data Theft
  • Financial Gain


  • Initial Access
    • Exploitation of web applications
    • ProxyLogon vulnerabilities
  • Reconnaissance
    • Automated collection of network and domain characteristics
    • Use of built-in windows commands such as ipconfig, net use, whoami
    • PsLoggedon.exe use
  • Lateral movement
    • RDP
  • Credential Dumping
    • Mimikatz
    • LSASS
    • NTDS
  • Data Exfiltration
    • Use of rar.exe
  • Defense Evasion
    • Add exclusion path to Defender
    • Deletion of artifacts
  • Persistence
    • HyberBro malware
      • In-memory RAT used for backdoor access
      • Relies on DLL search order hijacking and DLL side-loading


Automated Emulation

Our emulation features a number of interesting TTPs observed by the Intrinsec Research Team. SCYTHE customers can check out the full blog post and download this plan via the customer portal.

Happy Hunting  : )


Latest Posts

Threat Thursday: February
February 22,2024
Threat Thursday: January
January 18,2024
Threat Thursday Buzz
November 16,2023