> threat_actor APT10 —— origin: China (MSS / Tianjin Bureau) —— alias: Stone Panda / MenuPass —— signature: MSP supply chain compromise<span class="cursor-blink">_</span>_
APT10 — also tracked as Stone Panda, MenuPass, Red Apollo, CVNX, POTASSIUM, Cicada, ChessMaster, and Cloud Hopper — is a Chinese state-sponsored threat group that has been conducting cyber espionage operations since at least 2006, making it one of the longest-running advanced persistent threat groups in the modern landscape. APT10's defining strategic innovation was the systematic targeting of managed service providers (MSPs) — the IT outsourcing companies that manage infrastructure, networks, and applications for thousands of organisations worldwide. By compromising a single MSP, APT10 gained access to the networks of every downstream client that MSP served, turning trusted business relationships into attack vectors at an industrial scale.
The campaign that brought APT10 to global prominence — Operation Cloud Hopper — was one of the largest and most strategically significant cyber espionage operations ever documented. First publicly exposed in 2017 by PwC and BAE Systems, Cloud Hopper revealed that APT10 had systematically compromised multiple major MSPs and cloud service providers across North America, Europe, and the Asia-Pacific region, using that access to exfiltrate intellectual property and sensitive data from their clients in aerospace, defence, engineering, government, healthcare, telecommunications, and dozens of other sectors. The operation exploited a fundamental vulnerability in modern enterprise architecture: the trust placed in third-party service providers who hold privileged access to client environments.
APT10's operations extend well beyond Cloud Hopper. The group has conducted sustained campaigns targeting Japanese organisations — tracked as the A41APT campaign — deploying sophisticated backdoors including LODEINFO and NOOPDOOR specifically tailored for Japanese-language environments. They have targeted telecommunications providers in Operation Soft Cell, compromising core network infrastructure to enable surveillance of individuals of intelligence interest. The US Department of Justice indicted two APT10 members — Zhu Hua (朱华) and Zhang Shilong (张士龙) — in December 2018, charging them with conspiracy to commit computer intrusions, wire fraud, and aggravated identity theft. Despite the indictments, APT10 has continued to evolve its tooling and tradecraft, demonstrating the resilience and persistence that characterise state-sponsored threat groups operating with the backing of a major intelligence service.
| Attribute | Detail |
|---|---|
| Tracked Names | APT10 (Mandiant/Google), Stone Panda (CrowdStrike), MenuPass (Trend Micro/JPCERT), Red Apollo (PwC), CVNX (legacy), POTASSIUM (Microsoft, legacy), Cicada (Symantec), ChessMaster (Trend Micro), Cloud Hopper (PwC/BAE Systems, campaign name used as group alias) |
| Country of Origin | People's Republic of China — APT10's operations are attributed to the Ministry of State Security (MSS), specifically the Tianjin State Security Bureau, a regional bureau of China's primary civilian intelligence agency. The Tianjin bureau has been identified by multiple intelligence agencies and the US DOJ as the organisational entity directing APT10's operations, providing tasking, infrastructure support, and operational cover. |
| Suspected Affiliation | Huaying Haitai Science and Technology Development Company (天津华盈海泰科技发展有限公司) — a Tianjin-based technology company identified in the 2018 US DOJ indictment as the front company through which APT10 operators Zhu Hua (朱华, aka Afwar, aka CVNX, aka Alayos, aka Godkiller) and Zhang Shilong (张士龙, aka Baobeilong, aka Zhang Jianguo) conducted their operations. The company operated under the direction and support of the Tianjin MSS bureau. Zhu and Zhang were members of the company who performed hacking operations at the direction and in association with the MSS. |
| First Observed | At least 2006, with initial campaigns targeting Japanese organisations using spear-phishing emails and the Poison Ivy RAT. The group's earliest operations focused on government, defence, and academic institutions in Japan, establishing a targeting pattern that would persist throughout their operational history. By 2009–2010, APT10 had expanded to target organisations in the United States, Europe, and other regions across Asia-Pacific. |
| Primary Motivation | State-directed cyber espionage — strategic intelligence collection aligned with China's national interests, including intellectual property theft in aerospace, defence, and advanced manufacturing; government intelligence gathering; and support for China's economic development objectives. APT10's targeting of MSPs and cloud providers was designed to provide scalable, efficient access to the networks of hundreds of organisations simultaneously, maximising intelligence yield while minimising operational exposure. Unlike APT41, APT10 has no documented financially motivated criminal operations — their mandate appears purely espionage-driven. |
APT10's targeting strategy is defined by a two-tier approach: direct targeting of specific sectors aligned with Chinese intelligence priorities, and indirect targeting of virtually every sector through the compromise of managed service providers. Operation Cloud Hopper gave APT10 access to the client networks of compromised MSPs — meaning that a single MSP compromise could yield access to organisations across healthcare, finance, defence, energy, and government simultaneously. This indirect access model makes APT10's effective target scope significantly broader than their direct campaigns alone would suggest. The group has targeted organisations across the United States, United Kingdom, Canada, Australia, Japan, India, Brazil, France, Germany, Switzerland, Sweden, Finland, Norway, and numerous other countries.
| Sector | Strategic Value | Observed Targeting |
|---|---|---|
| Managed Service Providers | Privileged access to thousands of downstream client networks; single compromise yields multi-sector intelligence collection at scale | APT10's signature targeting. Operation Cloud Hopper compromised multiple major global MSPs including companies managing IT infrastructure for Fortune 500 corporations and government agencies. APT10 exploited the trusted network connections, VPN tunnels, and administrative credentials that MSPs use to manage client environments — pivoting from MSP infrastructure directly into client networks. |
| Aerospace & Defence | Military technology, satellite systems, weapons platform specifications, and classified defence research aligned with PLA modernisation goals | Sustained targeting of defence contractors and aerospace manufacturers in the US, UK, and Japan. Exfiltrated data related to jet engine technology, military vehicle designs, missile systems, and satellite communications. Multiple defence organisations were accessed through compromised MSPs in Operation Cloud Hopper. |
| Government | Diplomatic intelligence, policy documents, government employee PII, and strategic planning information | Targeted government agencies in Japan, the United States, United Kingdom, and several European and Southeast Asian nations. Early campaigns focused heavily on Japanese government ministries. Cloud Hopper provided indirect access to government clients of compromised MSPs. |
| Telecommunications | Call detail records, subscriber data, network architecture, and capability to conduct surveillance of individuals of intelligence interest | Operation Soft Cell (identified by Cybereason in 2019) revealed APT10 compromise of telecommunications providers, with the group gaining deep access to core network infrastructure. Operators exfiltrated call detail records for specific individuals — enabling tracking of movements, communications, and associations without direct device compromise. |
| Engineering & Manufacturing | Intellectual property, industrial designs, process technology, and trade secrets supporting China's advanced manufacturing ambitions | Targeted engineering firms, maritime technology companies, and manufacturing organisations across the US, Europe, and Japan. Exfiltrated proprietary designs, engineering specifications, and research data aligned with sectors prioritised in China's industrial policy. |
| Healthcare & Pharmaceuticals | Medical research, pharmaceutical IP, clinical trial data, and patient records supporting China's biotech development | Targeted healthcare organisations and pharmaceutical companies, both directly and through compromised MSPs. Access to healthcare sector data included patient records, research data, and administrative systems. |
| Energy & Mining | Resource exploration data, extraction technologies, energy infrastructure details, and strategic resource intelligence | Targeted energy companies and mining operations across multiple continents. Exfiltrated data related to resource exploration, processing technologies, and strategic energy planning — intelligence that supports China's resource security objectives. |
| Academic & Research Institutions | Cutting-edge research, intellectual property, and access to collaborative networks with government and defence organisations | Targeted universities and research institutions in Japan, the US, and Europe — particularly those with partnerships in defence, aerospace, and advanced technology research. Japanese academic institutions were among APT10's earliest and most consistent targets. |
APT10's signature technique — and the capability that distinguishes them from most other threat groups — is the systematic compromise of managed service providers as a vector to access downstream client networks. This is not a traditional supply chain attack in the software sense (as practiced by APT41 with ShadowPad and CCleaner); rather, it exploits the service relationship supply chain — the trusted network connections, administrative credentials, and privileged access that MSPs maintain to manage their clients' IT environments. In modern enterprise architecture, MSPs routinely hold domain administrator credentials, maintain persistent VPN connections, and operate remote management tools with unrestricted access to client infrastructure. APT10 recognised that compromising the MSP — a single point of trust — provided a skeleton key to hundreds of client environments simultaneously.
The operational model is methodical and patient. APT10 first gains access to the MSP's own network through spear-phishing or exploitation of internet-facing services. They then conduct extensive reconnaissance within the MSP environment, identifying the management infrastructure — jump boxes, remote desktop gateways, monitoring platforms, and administrative tools — that connects to client networks. Using harvested credentials and the MSP's own remote access tools, APT10 pivots from the MSP into target client environments, appearing as legitimate administrative traffic. Because the connections originate from the MSP's trusted infrastructure and use the MSP's own credentials and tools, the activity is extremely difficult to distinguish from normal managed service operations. The MSP's trusted status effectively renders APT10 invisible to client-side security controls.
The strategic implications of this approach are profound. A traditional targeted intrusion compromises a single organisation at a time; an MSP compromise provides concurrent access to dozens or hundreds of organisations across multiple sectors and geographies. APT10 could simultaneously collect intelligence from aerospace companies, government agencies, healthcare providers, and telecommunications firms — all through a single compromised MSP. The approach also provides exceptional operational security: data exfiltration is routed back through the MSP's infrastructure, blending with legitimate traffic. Even if a client organisation detects anomalous activity, investigation typically ends at the MSP — a trusted partner — rather than identifying the true threat actor behind the connection.
| Tool | Type | Capabilities |
|---|---|---|
| PlugX (Korplug) | RAT (Shared Chinese Tooling) | A mainstay of APT10's operations across all campaign phases. PlugX is a modular remote access trojan providing file management, command shell, keylogging, screen capture, and proxy pivoting capabilities. APT10 deploys PlugX extensively via DLL side-loading — placing a malicious DLL alongside a legitimate signed executable that loads it — to evade detection. Multiple custom variants have been observed with campaign-specific configurations and C2 infrastructure. |
| Quasar RAT | RAT (Open-Source, Modified) | An open-source remote access trojan that APT10 has customised and deployed in numerous campaigns, including Operation Cloud Hopper. APT10's Quasar variants include modified communication protocols, custom encryption layers, and campaign-specific configurations that distinguish them from the publicly available version. Provides remote desktop, file management, keylogging, password recovery, and reverse proxy capabilities. |
| Poison Ivy | RAT (Legacy) | One of APT10's earliest tools, used extensively in campaigns from 2006 through approximately 2013. Poison Ivy is a full-featured RAT providing remote shell, file transfer, screen capture, keylogging, and registry manipulation. While considered dated by modern standards, APT10's early reliance on Poison Ivy established many of their operational patterns — particularly their use of spear-phishing with weaponised document attachments as the primary delivery mechanism. |
| ChChes (HAYMAKER) | Backdoor (Custom) | A custom backdoor attributed exclusively to APT10, first documented by JPCERT/CC. ChChes communicates with C2 servers over HTTP using cookie headers to transmit encrypted data — a technique designed to blend with normal web browsing traffic. It supports command execution, file upload/download, and can load additional modules. ChChes was deployed primarily in campaigns targeting Japanese organisations between 2016 and 2018. |
| LODEINFO | Backdoor (Custom) | A sophisticated fileless backdoor that has been central to APT10's Japan-focused operations since 2019. LODEINFO has undergone continuous development, with JPCERT/CC and Kaspersky documenting multiple versions showing progressive capability enhancement. It supports command execution, file operations, screen capture, keylogging, and shellcode injection. Recent versions implement advanced evasion techniques including XOR-based encryption, junk code insertion, and anti-analysis measures. Delivered primarily through spear-phishing with weaponised Word documents exploiting VBA macros. |
| NOOPDOOR (HiddenFace) | Backdoor (Custom) | A sophisticated backdoor identified by Trend Micro in the A41APT campaign. NOOPDOOR is a complex, multi-layered implant that uses multiple communication channels — including DNS over HTTPS (DoH) — to establish resilient C2 connectivity. It employs heavy code obfuscation, encrypted configurations, and modular architecture. NOOPDOOR is designed for long-term persistence in high-value environments, reflecting APT10's shift toward more sophisticated custom tooling. |
| RedLeaves (BUGJUICE) | Backdoor (Custom) | A backdoor based on the open-source Trochilus RAT, significantly modified by APT10 for use in Cloud Hopper and other campaigns. RedLeaves provides command execution, file operations, screen capture, and keystroke logging. It communicates with C2 over HTTP and uses RC4 encryption for data in transit. RedLeaves was a primary post-compromise tool in Operation Cloud Hopper, deployed within both MSP and client environments. |
| SodaMaster (DelfsCake) | Backdoor (Custom) | A fileless backdoor used in APT10's A41APT campaign targeting Japanese organisations. SodaMaster operates entirely in memory, using reflective DLL loading to avoid disk-based detection. It supports command execution, file operations, and can download and execute additional payloads. SodaMaster performs anti-sandbox checks — including examining the username and checking for common analysis tools — before executing its payload. |
| Cobalt Strike BEACON | Commercial C2 Framework | APT10 incorporates Cobalt Strike alongside their custom tooling, particularly in more recent campaigns. Used for post-exploitation operations including lateral movement, credential harvesting, and data staging. APT10 configures BEACON with malleable C2 profiles designed to mimic legitimate web traffic and evade network-based detection. |
| Mimikatz & Credential Tools | Credential Harvesting (Open-Source) | APT10 makes extensive use of credential harvesting tools — particularly Mimikatz and custom credential dumpers — to extract passwords, hashes, and Kerberos tickets from compromised systems. Credential theft is central to APT10's operational model: in Cloud Hopper, harvested MSP administrator credentials were the mechanism for pivoting into client environments. APT10 also uses pwdump variants and Windows Credential Editor (WCE). |
APT10's earliest documented campaigns (2006–2013) focused predominantly on Japanese organisations — government ministries, defence contractors, academic institutions, and media companies. These early operations used Poison Ivy as the primary implant, delivered through spear-phishing emails with weaponised document attachments. The lures were carefully crafted in Japanese, referencing current events, government policy announcements, and industry topics relevant to the targeted individuals. This Japan focus earned the group the name MenuPass from early researchers who tracked their C2 infrastructure. While seemingly modest in scope compared to their later operations, this period established APT10's operational patterns, refined their social engineering tradecraft, and built the institutional knowledge of Japanese target environments that would inform their operations for the next two decades.
Operation Cloud Hopper (approximately 2014–2017, with evidence of activity extending beyond) was APT10's most significant and consequential campaign. First publicly documented in April 2017 by PwC UK and BAE Systems in a joint report, Cloud Hopper revealed a systematic, multi-year campaign to compromise managed service providers on a global scale. APT10 targeted and successfully infiltrated multiple major MSPs — companies that collectively managed IT infrastructure for thousands of organisations worldwide. Using the MSPs' own remote access tools and administrator credentials, APT10 pivoted into the networks of downstream clients across aerospace, defence, government, healthcare, engineering, telecommunications, and manufacturing sectors. The scale was staggering: a single compromised MSP provided access to hundreds of client organisations simultaneously. Data exfiltration was routed through the MSPs' infrastructure, making detection extraordinarily difficult. The UK's National Cyber Security Centre (NCSC), the US FBI, the Australian Signals Directorate, and intelligence agencies across multiple nations attributed Cloud Hopper to APT10 and issued coordinated public statements condemning the campaign in December 2018.
The A41APT campaign (2019–2021 and continuing) represents APT10's sustained focus on Japanese organisations with increasingly sophisticated tooling. Documented by Trend Micro, Kaspersky, and JPCERT/CC, A41APT targeted Japanese organisations across manufacturing, defence, government, and academia. The campaign showcased APT10's evolution toward more sophisticated custom malware — deploying LODEINFO, SodaMaster, and NOOPDOOR, all designed to operate with minimal forensic footprint. LODEINFO in particular has been subject to continuous development, with researchers documenting over ten major version updates between 2019 and 2024, each adding new capabilities and evasion techniques. The campaign exploited vulnerabilities in SSL VPN products for initial access and used advanced techniques including DNS over HTTPS for C2 communication — a significant departure from the group's earlier reliance on standard HTTP-based C2.
Operation Soft Cell (first reported by Cybereason in 2019) revealed APT10's targeting of global telecommunications providers. The campaign, active since at least 2012, compromised telecom infrastructure to gain access to call detail records (CDRs) — metadata that records who called whom, when, for how long, and from where. CDR data is extraordinarily valuable for intelligence services: it provides surveillance capability against individuals of interest without requiring direct access to their devices. APT10 targeted specific high-value individuals within the compromised telecoms, exfiltrating CDR data that mapped their movements, communications patterns, and association networks. The campaign demonstrated that APT10's objectives extended beyond traditional intellectual property theft into active intelligence collection and surveillance — capabilities that serve China's broader national security and counterintelligence requirements.
Defending against APT10 is uniquely challenging because their signature technique — MSP supply chain compromise — exploits trusted business relationships rather than technical vulnerabilities. When APT10 accesses a client network through a compromised MSP, they arrive using legitimate credentials, through authorised network connections, and employ the same tools and access patterns as genuine MSP administrators. Traditional perimeter defences and network monitoring are ineffective because the malicious activity is indistinguishable from the authorised managed service operations it mimics. Effective defence against APT10 requires rethinking the trust model with third-party service providers and implementing controls that can detect anomalous behaviour even within trusted access channels.
APT10 is one of the most established groups within China's extensive state-sponsored cyber espionage ecosystem. Operating under the Ministry of State Security's Tianjin bureau, APT10 exemplifies the MSS contractor model — a system in which nominally private technology companies perform intelligence operations under the direction and support of provincial MSS bureaus. This model, which has largely replaced the earlier PLA-centric approach exposed by Mandiant's APT1 report in 2013, provides the Chinese state with operational flexibility, access to private-sector technical talent, and a degree of plausible deniability. APT10's longevity — active since at least 2006 — makes them one of the longest-running threat groups in this ecosystem, and their targeting of managed service providers introduced a strategic innovation that influenced how other Chinese APT groups approach supply chain and third-party compromise.
| Group | Affiliation | Primary Focus | Relationship to APT10 |
|---|---|---|---|
| APT1 (Comment Crew) | PLA Unit 61398 | Broad industrial espionage targeting 20+ industries — IP theft aligned with state economic priorities | Different organisational lineage (PLA vs MSS). APT1 represented the earlier, military-driven model of Chinese cyber espionage. APT10 represents the MSS contractor model that has become dominant since APT1's public exposure in 2013. No shared tooling observed. |
| APT41 (Double Dragon) | MSS (Chengdu 404) | Dual-mandate espionage and financially motivated cybercrime; supply chain attacks via software vendors | Both operate under the MSS contractor model but through different provincial bureaus (Tianjin vs Chengdu). APT41 targets software supply chains while APT10 targets service relationship supply chains. Shared use of PlugX and some infrastructure overlap has been noted. APT41's dual mandate (espionage + cybercrime) distinguishes it from APT10's purely espionage-driven operations. |
| APT27 (Emissary Panda) | MSS (assessed) | Defence, aerospace, technology, and government targeting across Asia, Middle East, and the West | Both are MSS-affiliated with overlapping target sectors. APT27 and APT10 have both used PlugX and have been observed targeting some of the same organisations, though with different tooling and infrastructure. Attribution can be challenging when both groups are active within the same victim environment. |
| APT40 (Leviathan) | MSS (Hainan Bureau) | Maritime, defence, and engineering sectors aligned with South China Sea territorial interests | Both are MSS contractors operating through different provincial bureaus. APT40 focuses on maritime and defence intelligence related to South China Sea interests, while APT10's targeting is broader. Both groups target the defence and engineering sectors, though APT40's geographic focus is more concentrated on Southeast Asia and the Pacific. |
| APT31 (Zirconium) | MSS (assessed) | Government, political, and defence targeting across Europe and North America; election-related targeting | Both operate under the MSS framework. APT31 focuses more on government and political targets while APT10's targeting is broader and more commercially oriented. APT31 has been linked to MSP-style targeting in some campaigns, possibly influenced by APT10's Cloud Hopper methodology. |
| Volt Typhoon | PLA (assessed) | Pre-positioning in US critical infrastructure — energy, water, transport, communications — for potential disruption during geopolitical conflict | Different mission entirely. Volt Typhoon focuses on infrastructure pre-positioning for potential disruption, not intelligence collection. Uses living-off-the-land techniques rather than custom malware — a fundamentally different operational approach. Represents the evolution of Chinese cyber strategy toward operational preparation of the battlefield. |
APT10's position within China's cyber ecosystem is that of a veteran operational group that has demonstrated sustained capability over nearly two decades. While they lack APT41's unique dual mandate or Volt Typhoon's infrastructure disruption mission, APT10's contribution to the ecosystem is significant: they pioneered the MSP supply chain compromise at scale, demonstrated that trusted third-party relationships could be weaponised as efficiently as software supply chains, and maintained a persistent focus on Japanese and Western targets that aligns closely with China's long-term strategic intelligence requirements. The group's evolution — from Poison Ivy and basic phishing to LODEINFO, NOOPDOOR, and DNS over HTTPS C2 — reflects the broader maturation of China's offensive cyber capabilities over the past two decades.
APT10 is one of China's longest-running and most strategically impactful cyber espionage groups. Their innovation — the systematic compromise of managed service providers to access downstream client networks — represented a paradigm shift in how nation-state threat actors think about supply chain compromise. Operation Cloud Hopper demonstrated that the trust inherent in the MSP-client relationship could be weaponised at global scale, transforming a handful of MSP compromises into access to hundreds of organisations across every major industry. This approach was devastatingly efficient: it maximised intelligence yield while minimising the number of direct intrusions required, and it exploited a structural vulnerability in modern enterprise architecture that remains largely unresolved.
The 2018 US DOJ indictments of Zhu Hua and Zhang Shilong — alongside coordinated attribution statements from the UK, Australia, Canada, Japan, and other allies — represented an unprecedented international response to a Chinese cyber espionage campaign. Yet, like the APT41 indictments that followed, the practical impact on APT10's operations has been limited. The indicted individuals remain in China, beyond the reach of Western law enforcement. APT10 has continued to operate, shifting their tooling from Cloud Hopper-era malware to more sophisticated custom backdoors like LODEINFO and NOOPDOOR, and refocusing from broad MSP targeting to more focused sectoral campaigns — particularly against Japanese organisations. The group's ability to adapt, evolve, and persist despite intense public scrutiny and law enforcement pressure underscores the resilience of state-sponsored threat groups operating with the backing of a major intelligence service.
For defenders, APT10's legacy demands a fundamental reassessment of third-party trust. The MSP supply chain compromise is not a historical curiosity — it is a persistent and growing threat as organisations increasingly rely on cloud service providers, managed security services, and outsourced IT operations. Every trusted third-party connection is a potential attack vector. Defending against APT10 requires rigorous third-party access governance, anomaly detection on trusted channels, network segmentation that limits the blast radius of a compromised service provider, and proactive threat hunting for APT10's evolving tooling and tradecraft. The organisations best positioned to defend against APT10 are those that treat their MSP and cloud provider relationships not as trusted partnerships exempt from security scrutiny, but as high-risk access channels that demand the same monitoring, segmentation, and zero-trust principles applied to any other external connection.
Our penetration testing and threat intelligence services can evaluate your defences against APT10's specific tactics — MSP trust relationship abuse, DLL side-loading, spear-phishing, and lateral movement through third-party access channels — to identify gaps before a state-sponsored adversary exploits them.