>samit_hota
Back to adversary profiles
G0004HighActive

Ke3chang (G0004): A Persistent Cyberespionage Threat

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intelligence Gathering
Aliases
APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL, Nylon Typhoon
Target Sectors
Government, Diplomatic, Military, Defense, Energy, NGOs, Think Tanks, Aerospace, Telecommunications
Associated Malware
BS2005, TidePool, RoyalCli, RoyalDNS, Okrum, Ketrican, Mirage, MirageFox, Graphican, GoReShell
#threat-actor#g0004

Overview

Ke3chang, identified by MITRE ATT&CK as G0004, is a highly persistent and adaptive cyberespionage group strongly attributed to actors operating out of China. Active since at least 2010, the group, also known by aliases such as APT15, Mirage, Vixen Panda, Playful Dragon, NICKEL, and Nylon Typhoon, primarily conducts long-term intelligence gathering operations. Their motivations are aligned with Chinese state interests, focusing on stealing political, military, and economic secrets, and supporting the PRC’s objectives in internal security and narrative management.

Ke3chang’s targeting is deliberate and high-value, concentrating on government organizations (particularly Ministries of Foreign Affairs and diplomatic missions), military entities, defense contractors, non-governmental organizations (NGOs), and think tanks. Beyond these core targets, they have also shown interest in critical infrastructure and strategic sectors including oil, energy, aerospace, aviation, chemical, high-tech, industrial, manufacturing, mining, and telecommunications. Geographically, their operations span the globe, with documented activities across Central and South America, the Caribbean, Europe, North America, Asia Pacific, and the Middle East. Notably affected regions include countries such as the United States, United Kingdom, Belgium, Slovakia, India, Brazil, Chile, and Guatemala.

Tactics & Techniques

Ke3chang demonstrates mature and adaptive tradecraft, frequently evolving its tactics, techniques, and procedures (TTPs) to maintain covert access and evade detection.

Initial access typically begins with targeted spear-phishing campaigns, often incorporating compelling lures related to current geopolitical events or seemingly legitimate internal communications. They also widely exploit vulnerabilities in public-facing applications, with a notable history of compromising unpatched Microsoft Exchange and SharePoint servers, as well as Pulse Secure VPN and other VPN appliances. In some cases, access has been gained through compromised third-party VPN suppliers or by utilizing stolen credentials.

Once initial access is established, the group employs a variety of techniques for execution and persistence. They often use custom backdoors, modular loaders, and batch scripts, sometimes leveraging legitimate tools like RemoteExec (similar to PsExec) or rundll32.exe. For persistence, Ke3chang utilizes registry autorun keys, scheduled tasks, and DLL sideloading with validly signed executables. They have also been observed installing malicious services disguised as benign system components and creating .lnk shortcuts in the Startup folder, demonstrating a layered approach to maintaining long-term presence within compromised networks.

Defense evasion is a hallmark of Ke3chang’s operations. They frequently modify and recompile their malware, and have increased the complexity and modularity of their frameworks. The group has been observed dropping malware into existing installed software paths to masquerade it as legitimate files. Other evasion tactics include the use of steganography to embed payloads within seemingly innocuous image files (e.g., PNGs), employing anti-emulation and anti-sandbox tricks, and making frequent changes in their implementation details. They also use the right-to-left override character in spear-phishing attachment names to deceive victims.

For credential access, Ke3chang employs various tools, including keyloggers and known password dumpers such as Mimikatz, WDigest, NTDSDump, and gsecdump, to harvest credentials from browsers, email clients, and operating systems. These stolen credentials are then used for lateral movement, often alongside tools for network scanning and enumeration (ipconfig, netstat, ping.exe, systeminfo.exe), copying files to network shares, and mounting C$ shares.

Command and control (C2) communications are sophisticated and stealthy, frequently relying on DNS tunneling and HTTP communication through Internet Explorer’s COM interface IWebBrowser2. They embed encrypted C2 channels within HTTP headers or DNS traffic, often using web-based C2 servers and occasionally leveraging operational relay box (ORB) networks or acquired Virtual Private Servers.

Data collection is typically frequent and scheduled, with the group actively searching for new files in directories of interest and dumping data from Microsoft Exchange mailboxes. Before exfiltration, data is often compressed using tools like 7Zip and WinRAR, and encrypted with passwords, then sent out through the established C2 channels.

Notable Campaigns

Ke3chang has been linked to numerous significant cyberespionage campaigns over its operational history:

  • “Operation Ke3chang” (2010/2013 onwards): One of the earliest widely reported campaigns, it targeted European Ministries of Foreign Affairs, often using spear-phishing emails with Syria-themed lures. This activity frequently coincided with major international diplomatic events, such as G20 meetings.
  • Indian Embassy Targeting (2016): The group utilized its TidePool malware in an ongoing campaign against Indian embassy personnel worldwide. Attackers used spear-phishing emails that masqueraded as an annual report filed by Indian embassies to deliver the malicious payload.
  • UK Government Service Provider Compromise (2017): In May 2017, Ke3chang compromised a service provider to the UK government, stealing sensitive documents and targeting information related to UK government departments and military technology. New backdoors, RoyalCli and RoyalDNS, were identified during this incident.
  • Diplomatic Missions in Latin America and Europe (2016-2017): Campaigns using the Okrum and Ketrican backdoors targeted diplomatic missions and governmental institutions in countries including Slovakia, Belgium, Brazil, Chile, and Guatemala. Some of these attacks aligned with potential Chinese business investment interests in the targeted regions.
  • US Navy Contractor Hack (2018): Ke3chang was linked to the theft of 614 gigabytes of material related to the US Navy’s “Sea Dragon” project, potentially employing an updated Mirage backdoor variant known as MirageFox.
  • Microsoft DCU Disruption (2021): In December 2021, Microsoft’s Digital Crimes Unit (DCU) disrupted some of Ke3chang’s activities (tracked as NICKEL), seizing 42 domains used for command and control. This operation targeted organizations in 29 countries across Europe, North America, Central America, the Caribbean, and Africa, largely for intelligence gathering. Despite this disruption, the group continued its operations.

Associated Malware & Tools

Ke3chang boasts an extensive and continuously evolving arsenal of custom malware and leverages publicly available tools:

  • Custom Backdoors and RATs:
    • BS2005: A long-standing backdoor, foundational to many of their operations.
    • TidePool: An evolution of BS2005, used in campaigns against Indian embassies.
    • RoyalCli and RoyalDNS: New backdoors identified in 2017, with RoyalDNS being notable for its use of DNS for C2 communications.
    • Okrum and Ketrican: A previously undocumented backdoor (Okrum) and evolving variants (Ketrican) used in campaigns from 2015-2019, particularly against diplomatic entities in Europe and Latin America.
    • Mirage and MirageFox: Early remote access trojans (RATs), with MirageFox being an updated version.
    • Graphican: A more recent backdoor deployed post-2021 disruptions.
    • GoReShell: A Windows backdoor written in Go and based on reverse_ssh, observed in recent “PurpleHaze” (APT15) activity.
    • Ketbra: A more recent RAT, indicative of continuous tool development.
  • Exploits: The group has leveraged exploits for various software, including a Java zero-day (CVE-2012-4681), older Microsoft Word (CVE-2010-3333) and Adobe PDF Reader (CVE-2010-2883) vulnerabilities, and a Microsoft Office vulnerability (CVE-2015-2545).
  • Publicly Available Tools: Ke3chang frequently integrates commercial and open-source tools into its operations, including Mimikatz, WDigest, NTDSDump, gsecdump, and other password dumping utilities, keyloggers, WinRAR, and 7Zip. They also employ common system utilities for reconnaissance and lateral movement.
  • Custom Utilities: A bespoke Microsoft SharePoint enumeration and data dumping tool known as spwebmember has been identified.

Current Status

Ke3chang remains an active and highly sophisticated threat actor. Despite multiple public disclosures and direct disruption efforts, such as Microsoft’s domain seizures in 2021, the group has consistently demonstrated resilience and an ability to adapt its infrastructure and toolkit.

Recent reporting from July 2024 to March 2025 indicates ongoing global intrusions linked to APT15 (referred to as “PurpleHaze” by some researchers). This activity targeted over 70 organizations worldwide, including government entities, IT services firms, and media organizations, and involved the use of new malware like GoReShell and an evolving ORB3 relay network.

The group continues to enhance its operational security and malware frameworks, favoring more modular designs and unique campaign infrastructures for each operation. This increased sophistication suggests a move towards more tailored attacks and a continued effort to evade detection. Furthermore, broader advisories on Chinese state-sponsored threat actors in April 2026 highlight a strategic shift towards utilizing large, continuously refreshed networks of compromised SOHO routers, IoT devices, and end-of-life edge appliances for C2 and data exfiltration, a trend that Ke3chang and other China-nexus groups are likely leveraging.

Ke3chang’s persistent global reach, sophisticated tradecraft, and consistent targeting of geopolitical interests underscore its continued significance as a major state-sponsored cyberespionage threat. Organizations with interests in their target sectors and regions should maintain heightened vigilance and implement robust defensive measures.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call