Suckfly (G0039): A Profile of China-Based Cyber Espionage
- Suspected Origin
- China
- Motivation
- Espionage, Information Theft
- Aliases
- None documented
- Target Sectors
- Government, Financial, IT, E-commerce, Healthcare, Media, Entertainment, Shipping and Logistics, Software Development, Video Game Development
- Associated Malware
- Nidiran, gsecdump, smbscan, Windows Credentials Editor
Overview
Suckfly (MITRE ATT&CK ID: G0039) is a sophisticated, China-based advanced persistent threat (APT) group that has been operational since at least April 2014. Known by aliases such as APT22, BRONZE OLIVE, and Group 46, this actor primarily engages in cyber espionage and information theft. The group’s operations have been traced to IP addresses within Chengdu, China, suggesting a specific geographical origin for their activities.
Initially, Suckfly gained notoriety for its focus on stealing digital certificates from legitimate businesses, particularly in South Korea, in early 2014. These stolen certificates were a crucial component of their operational toolkit, enabling them to sign their malicious software and hack tools to evade detection by making them appear legitimate. Over time, the group expanded its targeting beyond South Korea, launching extensive and long-term espionage campaigns against a range of high-profile government and commercial organizations across multiple continents. While their operations had a global reach, investigations revealed a significant and concentrated effort against targets located predominantly in India, where post-infection activity was notably higher compared to other regions, indicating deliberate and planned operations against Indian entities.
Tactics & Techniques
Suckfly employs a range of established tactics, techniques, and procedures (TTPs) characteristic of well-resourced espionage groups. Their initial access often involves spearphishing campaigns, where victims receive booby-trapped documents delivered via email. These documents leverage vulnerabilities, such as CVE-2014-6332, to infect targets with their custom backdoor, Nidiran.
Once inside a network, Suckfly focuses heavily on credential access. They are known to use both custom and publicly available tools for OS credential dumping, including gsecdump and Windows Credentials Editor, to obtain legitimate account credentials. A critical aspect of their defense evasion strategy involves subverting trust controls by using stolen code-signing certificates. This allows them to sign their malware and other hack tools, making them appear as trusted software and hindering detection efforts.
For discovery, Suckfly conducts extensive network service reconnaissance. They have been observed scanning internal victim networks for specific open ports, including 8080, 5900, and 40. Tools like smbscan are used for network discovery, aiding in their understanding of the target environment. With legitimate account credentials obtained through credential dumping, the group executes lateral movement, navigating the internal network as if they were authorized users. Their malware and tools are often command-line driven, which is a common technique for stealth and integration into existing system processes. Operations often take place during weekdays, suggesting a methodical and structured approach aligned with typical working hours.
Notable Campaigns
Suckfly’s activities began in April 2014 with initial campaigns focused on stealing digital certificates from South Korean organizations. This pre-attack operation to acquire certificates was a foundational step for their subsequent, broader espionage campaigns.
By 2015, the group was observed conducting extensive, long-term espionage operations, with a pronounced focus on India. Symantec’s research at the time highlighted multiple high-profile Indian targets, including one of India’s largest financial institutions, a top five IT firm, a major e-commerce company, and two government organizations. One of the targeted government entities was particularly critical, being connected to central government departments and responsible for implementing software networks across various ministries, leading to a high infection rate within that organization. The deep penetration and sustained activity within these Indian targets suggested a deliberate and strategic campaign. These campaigns involved the deployment of their custom backdoor, Nidiran, along with a suite of hack tools.
Associated Malware & Tools
Suckfly utilizes a tailored arsenal of malware and hacking tools designed for cyber espionage. The most prominent piece of custom malware associated with the group is Nidiran, a sophisticated backdoor specifically developed for their cyber espionage campaigns. Nidiran is typically delivered through exploited documents in their initial compromise stage and allows attackers to maintain persistent access and control over infected systems.
Beyond Nidiran, Suckfly leverages various off-the-shelf and custom hack tools to facilitate their operations:
- Credential Dumpers: Tools such as
gsecdumpandWindows Credentials Editorare integral for extracting user credentials from compromised systems. The group is known to use signed versions of these tools, enhancing their legitimacy. - Network Scanners:
smbscanis employed for network discovery, allowing the group to map victim networks and identify potential lateral movement opportunities. Generic port scanners are also part of their toolkit. - Other Utilities: Their arsenal includes keyloggers for capturing sensitive input, as well as other command-line driven utilities that support various stages of their attacks, from execution to data exfiltration. The use of stolen certificates to sign these tools is a recurring theme in their operations.
Current Status
Suckfly has been recognized as an active threat group since at least 2014. While the most detailed public reporting on their specific campaigns and techniques largely dates back to 2016, they remain a tracked entity within the threat intelligence community. The MITRE ATT&CK Group G0039 entry for Suckfly was last modified in April 2025, indicating that the group’s historical activities and associated TTPs are still relevant for analysis and defensive strategies. However, without more recent, publicly disclosed incident reports or security vendor analyses detailing specific, ongoing campaigns beyond 2016, their current operational tempo and specific active targets are not definitively known in open sources. Security professionals should remain aware of Suckfly’s established TTPs and associated malware due to their historical effectiveness and the possibility of renewed or undetected activity.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call