PLATINUM (G0068) Threat Actor Profile: Stealthy Cyber Espionage in APAC
- Suspected Origin
- China (attributed)
- Motivation
- Espionage, Information Theft, Strategic Advantage
- Aliases
- None documented
- Target Sectors
- Government, Defense, Intelligence Agencies, Diplomatic Institutions, Telecommunications, ISPs
- Associated Malware
- Dipsind, JPIN, Adbupd, Titanium, RedPepper, RedSalt, Custom Keyloggers, PowerShell Backdoors
Overview
PLATINUM (G0068) is a highly sophisticated advanced persistent threat (APT) group that has been actively conducting cyber espionage operations since at least 2009. Designated by Microsoft, the group is widely regarded as one of the most technologically advanced actors in the APT landscape, prioritizing stealth, adaptability, and operational discipline in its campaigns. While their activities often maintain a low public profile, analysis consistently points to them as a well-resourced, focused, and disciplined entity.
Attribution for PLATINUM’s operations frequently points towards China, though threat intelligence reports from major cybersecurity firms like Microsoft and Kaspersky generally focus on their tactics rather than direct government linkage. Their primary motivation is cyber espionage and the theft of sensitive intellectual property, aiming for indirect strategic or economic benefits rather than direct financial gain.
The group’s targeting strategy is highly consistent and geographically focused, primarily on governmental entities, defense institutes, intelligence agencies, diplomatic organizations, and telecommunications providers in South and Southeast Asia. Specific hotspots for their activity have included Malaysia, Indonesia, and India, with observed targeting also extending to China, Singapore, Thailand, and Vietnam. Their campaigns are often tailored with regionally relevant lures, demonstrating an understanding of geopolitical dynamics within their target areas.
Tactics & Techniques
PLATINUM exhibits a comprehensive set of tactics, techniques, and procedures (TTPs) designed for stealthy and persistent access. Initial access is typically achieved through spear-phishing emails containing malicious documents, often exploiting previously undiscovered zero-day vulnerabilities in common software like Windows and Microsoft Office. They have also been known to utilize drive-by attacks against vulnerable browser plugins. A notable tactic is targeting victims’ non-official or private email accounts as an initial stepping stone into their intended organizational networks.
Once inside a network, PLATINUM employs sophisticated methods for persistence and defense evasion. A significant technique, identified by Microsoft in 2016, involves abusing Windows hotpatching mechanisms to inject malicious code into processes, such as svchost.exe, without requiring system reboots. This allowed them to evade detection by many host security products. The group also configures its malware to operate only during victims’ normal working hours, attempting to blend malicious network activity with legitimate user traffic.
For command and control (C2), PLATINUM leverages advanced techniques. In 2017, they were observed exploiting the Serial-over-LAN (SOL) capabilities of Intel Active Management Technology (AMT), allowing them to establish C2 communication channels that operate independently of the operating system, thus remaining invisible to host-based firewalls and network monitoring solutions. The group also makes use of text-based steganography, including the “SNOW” technique and manipulating HTML tag attribute order, to conceal C2 communications within seemingly innocuous data. They have also been observed using free hosting services and Dropbox accounts to store payloads and exfiltrated data.
Credential access and discovery are facilitated by deploying keyloggers and utilizing Windows hook interfaces. Lateral movement within a compromised network is achieved through specially crafted malware modules.
Notable Campaigns
PLATINUM’s operations have been traced back to at least 2009, demonstrating long-term engagement and a consistent focus on its target regions.
A significant incident unfolded in early 2016 when Microsoft detailed the group’s exploitation of Windows hotpatching mechanisms. This campaign enabled them to maintain persistent, stealthy access to compromised networks within Asian targets, updating malicious code without requiring full system reboots.
In June 2017, PLATINUM gained notoriety for exploiting Intel’s Active Management Technology (AMT) Serial-over-LAN (SOL) capabilities to perform data exfiltration. This marked a novel use of the technology by a threat actor.
The “EasternRoppels” campaign, which Kaspersky linked to PLATINUM, surfaced in June 2018, though it may have begun as early as 2012. This campaign notably featured the use of elaborate, previously unseen steganographic techniques to hide communications with C2 servers, primarily targeting diplomatic, government, and military entities across South and Southeast Asia.
In November 2019, Kaspersky researchers uncovered PLATINUM deploying a new, sophisticated modular implant dubbed “Titanium.” This backdoor was used in attacks targeting government organizations in South and Southeast Asia and incorporated complex evasion techniques, including mimicking common software during its multi-stage installation process.
Associated Malware & Tools
PLATINUM is known for developing and continuously updating a diverse set of custom-built malicious tools, suggesting substantial resources and potentially multiple development teams or external vendors.
Key malware families and tools associated with PLATINUM include:
- Dipsind (also known as Dispind): A custom backdoor widely used by the group, capable of installing keyloggers and maintaining communication with compromised systems.
- JPIN and Adbupd: Other custom backdoors similar to Dipsind, designed for information gathering, file management, and keylogging.
- Titanium: A highly advanced modular backdoor discovered in 2019. It features encrypted communications, a complex multi-stage deployment, and sophisticated evasion techniques, often mimicking legitimate software components like sound drivers or DVD video creation tools.
- RedPepper and RedSalt: These are also identified as tools utilized by the group.
- Custom Keyloggers: Frequently deployed to capture keystrokes and potentially dump credentials.
- PowerShell Backdoors: Used in initial stages, often for system fingerprinting and downloading additional code, as observed in the EasternRoppels campaign.
- Wrapper DLLs: Custom COM DLLs used to decrypt and load encrypted payloads into memory.
- BITS Downloader: Employed to fetch files from C2 servers.
The group also leverages “Living off the Land” techniques, utilizing existing system tools and features to blend into normal network activity.
Current Status
While specific new campaigns beyond the 2019 Titanium deployment have not been extensively publicized in recent years, PLATINUM is considered an active and ongoing threat. The group’s inherent stealth, low operational tempo, and advanced capabilities mean that detection of their activities is inherently challenging. Threat intelligence from 2025 continues to refer to PLATINUM as a sophisticated and relevant APT group that warrants attention, indicating that they are still being monitored or their past techniques are being analyzed for current relevance. Given their demonstrated ability to operate undetected for extended periods and their consistent focus on high-value targets, it is highly probable that PLATINUM remains an active player in the cyber espionage landscape, continuously refining its tools and techniques.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call