menuPass (G0045): China's Enduring Cyber Espionage Arm
- Suspected Origin
- China
- Motivation
- Espionage, Intellectual Property Theft, Economic Advantage, National Security Goals
- Aliases
- Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH, BRONZE RIVERSIDE
- Target Sectors
- Government, Defense, IT/MSPs, Healthcare, Finance, Aerospace, Manufacturing, Telecommunications, Energy, Academics, Legal, Media, NGOs
- Associated Malware
- PlugX, Poison Ivy, LODEINFO, Mimikatz, RedLeaves RAT, QuasarRAT, Sodamaster, SOGU
Overview
menuPass (G0045) is a persistent and highly skilled cyber espionage group that has been operational since at least 2006. This threat actor, known by numerous aliases including APT10, Cicada, POTASSIUM, Stone Panda, and Red Apollo, is widely attributed to the Chinese Ministry of State Security (MSS), specifically the Tianjin State Security Bureau. Their primary motivation is cyber espionage, focused on stealing intellectual property, trade secrets, and sensitive government data to advance Chinese national security and economic interests.
The group’s targeting is broad and global, encompassing healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors. menuPass places a significant emphasis on Japanese organizations, with consistent targeting observed since at least 2014. However, their operations extend across North America, Europe, South America, Asia, and Australia, frequently leveraging supply chain compromises, particularly against Managed IT Service Providers (MSPs), to gain access to a multitude of client networks.
Tactics & Techniques
menuPass employs a diverse and evolving set of tactics, techniques, and procedures (TTPs) designed for stealth, persistence, and extensive data exfiltration. Initial access often involves spear-phishing emails containing malicious attachments such as Windows Shortcut (.lnk) files or weaponized Microsoft Office documents with embedded macros. They are also adept at exploiting public-facing applications and vulnerabilities in remote access solutions like Pulse Secure VPNs and the ZeroLogon vulnerability (CVE-2020-1472) to gain initial footholds.
A hallmark of menuPass operations is the strategic compromise of Managed Service Providers (MSPs). By infiltrating an MSP, the group gains indirect, trusted access to numerous client networks, allowing for lateral movement and extensive data theft across multiple targets. This supply chain tactic enables them to bypass robust direct defenses and operate with a higher degree of legitimacy within victim environments.
Once inside a network, menuPass utilizes a combination of custom malware and “living-off-the-land” (LOTL) tools to execute commands, maintain persistence, and evade detection. They use command-line interfaces and reverse shells, often employing modified pentesting scripts like wmiexec.vbs and PowerShell frameworks such as PowerSploit. For persistence, they create new administrative accounts, schedule tasks, and use DLL side-loading and search order hijacking. Defense evasion techniques include renaming and relocating legitimate system utilities like certutil and changing malicious file extensions to appear benign. They also wipe PowerShell execution logs using wevtutil to cover their tracks.
Credential access is a high priority, achieved through keyloggers and known tools like Mimikatz, often with custom loaders, as well as PwDump6. For discovery, they export Active Directory data using csvde.exe and perform system and network reconnaissance with tools like nbtscan and tcping.exe, while actively searching for sensitive files in directories related to HR, audits, and meeting memos. Data collection involves gathering various files, mounting network shares, and using Robocopy to transfer data. Before exfiltration, data is often staged on remote MSP systems or victim networks, frequently compressed with TAR or RAR and sometimes saved in the Recycle Bin. Exfiltration itself occurs over encrypted communication channels, often disguised within normal network traffic.
Notable Campaigns
One of the most significant and well-documented campaigns attributed to menuPass is Operation Cloud Hopper, which spanned from at least 2014 to 2018. This global espionage campaign involved extensive compromise of MSPs to gain access to the intellectual property and confidential data of their clients across North America, Europe, and Asia. The sheer scale and duration of this operation highlighted menuPass’s strategic ingenuity in exploiting trusted relationships. The severity of Cloud Hopper led to the indictment of two Chinese nationals associated with APT10 by the U.S. Department of Justice in December 2018.
Beyond Cloud Hopper, menuPass has demonstrated a consistent focus on specific regions and sectors. Their intensified targeting of Japanese government, defense contractors, technology firms, and academics has been ongoing, utilizing custom malware like LODEINFO. In 2021, the group launched cyberattacks against the Taiwanese financial sector, targeting multiple banks and financial institutions. They also conducted espionage operations against Indian vaccine manufacturers, such as Bharat Biotech and the Serum Institute of India, during the COVID-19 pandemic, likely seeking intellectual property related to vaccine development. Recent activity has seen subgroups like Earth Kasha, operating under the broader APT10 umbrella, expanding targets to Japan, Taiwan, and India, and continuously updating their malware arsenals.
Associated Malware & Tools
menuPass maintains a dynamic arsenal of custom malware and leverages a wide array of legitimate and publicly available tools, a tactic sometimes referred to as “living off the land.”
Key custom malware used by the group includes:
- PlugX: A versatile Remote Access Trojan (RAT) with extensive capabilities for remote control, file manipulation, and data exfiltration. Various sophisticated variants like “Paranoid PlugX” have been observed, with some overlapping code with Poison Ivy.
- Poison Ivy: Another widely used RAT, often seen in conjunction with PlugX.
- LODEINFO: A fileless backdoor specifically noted in attacks targeting Japanese media, diplomacy, public institutions, and defense industries since 2019, with ongoing development and new versions.
- RedLeaves RAT (aka ANEL): A custom backdoor known for credential harvesting and maintaining persistence.
- QuasarRAT: A customized open-source RAT used as a second-stage backdoor.
- Sodamaster (aka NOOPDOOR): A fileless backdoor capable of evading sandbox detection, enumerating system parameters, and downloading additional payloads, notably used since at least 2020.
- SOGU, HAYMAKER, SNUGRIDE, BUGJUICE: Other backdoors and initial access tools observed in their campaigns, showcasing their continuous capability development.
- Scanbox: A web-based reconnaissance framework used for profiling targets, providing insights into their targeting priorities.
Beyond custom malware, menuPass extensively uses legitimate utilities and penetration testing tools, including Mimikatz (for credential dumping), certutil (for decoding), csvde.exe (for Active Directory data export), PowerSploit, WmiExec, PsExec, nbtscan, tcping.exe, esentutl, Wevtutil, WinRAR, and various network discovery and lateral movement tools.
Current Status
Despite the U.S. Department of Justice indicting two alleged members in 2018, menuPass remains an active and evolving threat group. Security researchers continue to track their operations, noting their resilience and adaptability. Recent activity from 2023 to 2024, particularly involving the Earth Kasha subgroup, demonstrates their ongoing campaigns against targets in Japan, Taiwan, and India, with updated tools and TTPs.
The group’s persistent relevance is further underscored by its inclusion in recent MITRE Engenuity ATT&CK Evaluations (June 2024), where their TTPs—especially those related to supply chain compromise, living-off-the-land techniques, and anti-analysis tactics—were used to simulate sophisticated attacks. This indicates that menuPass continues to be a formidable adversary, constantly refining its operational methodology and malware to achieve its state-sponsored cyber espionage objectives globally.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call