>samit_hota
Back to adversary profiles
G0018HighActive

Threat Actor Profile: admin@338 (G0018)

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intelligence Gathering, Strategic Advantage
Aliases
None documented
Target Sectors
Financial, Economic Policy, Trade Policy, Media, Government, Think Tanks, Civil Society
Associated Malware
PoisonIvy, LOWBALL, BUBBLEWRAP, ipconfig, net, netstat, systeminfo
#threat-actor#g0018

Overview

admin@338 (MITRE ATT&CK ID: G0018), sometimes referred to as Temper Panda, is a persistent and resourceful cyber threat group widely attributed to China. Active since at least 2013, this group primarily conducts cyber espionage operations, focusing on strategic intelligence gathering rather than direct financial gain or disruptive attacks. Their targeting aligns closely with the geopolitical and economic interests of the Chinese state, making them a significant concern for organizations operating in sensitive sectors or regions relevant to China.

The group’s operational tempo often correlates with newsworthy events, leveraging current affairs as highly effective lures in their initial compromise efforts. While they have historically targeted organizations involved in financial, economic, and trade policy, admin@338 has also demonstrated a clear interest in media entities, particularly those in Hong Kong that report on pro-democracy movements or sensitive political topics. Their objectives extend to collecting valuable intelligence from journalists, pro-democratic activists, European and international financial institutions, and even US-based think tanks, suggesting a broad remit for information collection that supports state interests.

Their campaigns often exhibit a blend of publicly available tools and custom-developed malware, indicating a pragmatic approach to achieving their objectives. This combination allows them both agility and stealth, adapting their toolset to specific targeting requirements.

Tactics & Techniques

admin@338’s initial access heavily relies on spear phishing. They craft highly convincing email lures that capitalize on current events, making them particularly effective. For instance, in attacks against Hong Kong media, emails referenced the Umbrella Movement or university alumni concerns, demonstrating a tailored approach to social engineering. These emails typically contain malicious attachments, often weaponized Microsoft Office documents that exploit known vulnerabilities, such as Microsoft Word CVE-2012-0158, to achieve execution on the victim’s system.

Once a foothold is established, the group exhibits proficiency in discovery techniques to map the compromised environment. They use standard operating system utilities, often referred to as “living off the land” binaries, such as ipconfig, net, netstat, and systeminfo to gather system information, network configuration details, and identify network connections and local accounts. This reconnaissance helps them understand the network architecture and identify further targets for lateral movement or data exfiltration.

A notable technique employed by admin@338 for command and control (C2) involves abusing legitimate cloud storage services, most prominently Dropbox. By using the Dropbox API, their malware can communicate with attacker-controlled accounts, allowing for the download of further instructions or additional malware, and the exfiltration of collected data. This method helps them evade traditional network defenses that might block direct C2 traffic to known malicious infrastructure. The group has been observed creating batch scripts (e.g., upload.bat) that execute commands on compromised machines, with results being uploaded back to their Dropbox accounts. They also demonstrate ingress tool transfer capabilities, allowing malware like LOWBALL to update itself.

Notable Campaigns

admin@338’s activity has been tracked since at least 2013, with early campaigns focusing on financial and policy organizations primarily through English-language spear phishing.

One of their most documented campaigns occurred in August 2015, specifically targeting Hong Kong-based media organizations, including newspapers, radio, and television outlets. These attacks were particularly significant for their use of Traditional Chinese script in spear phishing emails and their exploitation of newsworthy local events as lures. Examples include references to the creation of a Christian civil society organization coinciding with the anniversary of the 2014 Hong Kong protests and concerns regarding a Hong Kong University alumni organization’s referendum. The primary malware used in this campaign was LOWBALL, which uniquely leveraged Dropbox for its command and control infrastructure. This campaign demonstrated admin@338’s adaptability and direct alignment with regional political events.

In conjunction with the Hong Kong media attacks, FireEye researchers, in collaboration with Dropbox, identified a potential second, ongoing operation at the time of their 2015 reporting. This operation showed similar attack patterns but with variations in filenames, suggesting different malware versions and a broader scope, potentially impacting up to 50 unnamed targets. This indicates the group’s capacity for parallel operations and evolving tradecraft.

Associated Malware & Tools

admin@338 leverages a mix of established, publicly available tools and custom-developed backdoors to achieve its objectives:

  • PoisonIvy: This is a widely available Remote Access Trojan (RAT) that admin@338 has frequently employed. PoisonIvy provides adversaries with comprehensive remote control over compromised systems, enabling data exfiltration, arbitrary command execution, and further payload deployment.
  • LOWBALL: A custom-developed malware specifically associated with admin@338. LOWBALL is notable for its innovative use of legitimate cloud storage services, specifically Dropbox, for command and control communications. It uses the Dropbox API to download command files and upload results, and it has mechanisms to update itself by downloading new versions.
  • BUBBLEWRAP: This is a full-featured backdoor observed in admin@338’s arsenal. BUBBLEWRAP is configured for persistence, running at system boot, and supports multiple communication protocols including HTTP, HTTPS, or a SOCKS proxy for its C2 operations.
  • Non-public backdoors: In addition to publicly known RATs, the group also utilizes proprietary backdoors, indicating a level of bespoke development capability and a desire for enhanced stealth.
  • Living off the Land (LotL) tools: admin@338 commonly employs legitimate system utilities present on Windows operating systems for various post-exploitation activities. These include ipconfig for network configuration details, net and netstat for network information, and systeminfo for host-based reconnaissance. The use of LotL tools helps them blend in with legitimate network traffic and operations, making detection more challenging.

Current Status

Based on recent updates to threat intelligence platforms, admin@338 remains a relevant and actively tracked threat group. MITRE ATT&CK’s entry for G0018 was last modified in April 2025, and details regarding their associated malware, LOWBALL, were also updated around the same time, indicating continued relevance and monitoring. Furthermore, a cyber threat intelligence portal updated its information on admin@338 as recently as June 2026, confirming ongoing observation and a contemporary understanding of their activities. While specific campaign details for the absolute present moment are not always immediately public, the continuous maintenance and updates to these profiles strongly suggest that admin@338 is not dormant or disbanded. Their consistent attribution to China and focus on geopolitical espionage imply an enduring mandate, making them an ongoing concern for targeted sectors and regions. Their tactical flexibility, including the use of both custom and public tools and leveraging current events, underscores their sustained operational capability.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call