>samit_hota
Back to adversary profiles
G0073HighActive

APT19: Persistent Chinese Cyber Espionage and Credential Theft

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Information Theft, Credential Harvesting, Financial Gain
Aliases
Codoso, C0d0so0, Codoso Team, Sunshop Group
Target Sectors
Defense, Finance, Energy, Pharmaceutical, Telecommunications, High Tech, Education, Manufacturing, Legal Services, Healthcare, Government, Law Enforcement, Aerospace, Agriculture, Think Tanks
Associated Malware
C0d0so0, Cobalt Strike, Derusbi, Empire, 9002 RAT, Fire Chili, Poison Ivy, Custom backdoors, Web shells, Credential harvesting utilities
#threat-actor#g0073

Overview

APT19, also known by aliases such as Codoso, C0d0so0, Codoso Team, and Sunshop Group, is a prominent and persistent Chinese-based threat group that has been actively conducting cyber espionage operations for over a decade. Identified by MITRE ATT&CK as G0073, this group is widely understood to operate in support of China’s intelligence efforts. While its attribution is firmly rooted in China, some analysts suggest APT19 may consist of a network of freelancers receiving some degree of state sponsorship.

A defining characteristic of APT19 is its “hybrid model” of operations, blending traditional state-directed intelligence objectives with tactics often associated with cybercrime, particularly large-scale credential theft. Their primary motivation is the acquisition of information with political, economic, or technological significance. This often translates into a clear interest in mass credential harvesting, enabling them to gain long-term access to various corporate, cloud, and personal accounts, which can then be leveraged for intelligence or even sold for financial gain. APT19’s targeting strategy aligns with Chinese intelligence priorities, focusing on obtaining situational awareness and persistent access.

APT19 has cast a wide net, targeting a diverse array of industries globally. These include critical sectors such as defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. Beyond these, they have also shown interest in aerospace, healthcare, government, law enforcement, and think tanks. While their influence is global, their campaigns frequently show a strong focus on regions like the United States, Australia, and various parts of East Asia, reflecting strategic national interests. It is worth noting that some in the security community track APT19 and Deep Panda (G0009) as the same entity, although open-source information does not definitively confirm this. However, consistent patterns in infrastructure, malware, and victimology across these groups suggest a coherent operational entity, regardless of the alias used.

Tactics & Techniques

APT19 employs a disciplined and adaptable tradecraft that combines well-known attack vectors with methodical operational persistence, making them a significant threat despite not always relying on highly sophisticated zero-day exploits.

Their initial access methods are varied but commonly involve spear-phishing campaigns. These emails often contain malicious attachments, typically in RTF, XLSM, Word, or Excel formats, designed to deliver initial exploits or macros. APT19 is also known for deploying watering hole attacks, compromising trusted websites such as Forbes.com, to infect visitors with malware. Initial access can also be gained through compromised web servers and Content Management Systems (CMS) where they deploy web shells. They have historically exploited vulnerabilities, including CVE-2017-0199 in Microsoft Windows and zero-day vulnerabilities in Adobe Flash Player and Microsoft Internet Explorer. In some instances, they have used droppers disguised as legitimate installers for software like Juniper VPN, Microsoft ActiveX, or Adobe Reader.

Once inside a network, for execution and persistence, APT19 commonly deploys lightweight backdoors and web shells. They establish persistence through mechanisms such as modifying registry keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and creating scheduled tasks on compromised systems. They leverage scripting tools like PowerShell and command scripts to execute malicious code, often concealing PowerShell windows using the -W Hidden parameter. They may inject payloads into legitimate processes like rundll32.exe and register their malware as a service.

For defense evasion, APT19 frequently obfuscates payloads and commands, often using Base64 encoding, and decrypts strings with single-byte XOR keys. They run their malware through legitimate-looking software to avoid detection and have been observed using application whitelisting bypasses, for example, with macro-enabled XLSM documents or Regsvr32. Rootkits, such as Fire Chili, are also utilized to maintain stealth within compromised systems.

Their focus on credential access and lateral movement is central to their operations. APT19 employs various credential harvesting utilities and is adept at reusing stolen credentials across different platforms—including email, VPN, and cloud-based services—to facilitate lateral movement within networks. They also exploit system tools and manipulate users into opening harmful files to move laterally. For command and control (C2), they primarily use HTTP/HTTPS-based channels, frequently resetting their infrastructure and using legitimate-sounding domain names to blend in. Compromised servers are often leveraged as relay nodes, complicating attribution.

Finally, for discovery and collection, APT19 will scan networks for system details, connected machines, user data, and running processes. They collect vital system information such as hostname, CPU details, MAC addresses, IP addresses, and usernames from victim machines.

Notable Campaigns

APT19 has been implicated in numerous high-profile incidents and sustained campaigns demonstrating its operational capabilities and strategic objectives.

The group’s activity dates back to at least 2013, with early operations involving widespread cyberattack attempts aimed at credential acquisition through phishing and web shells. In March 2013, APT19 was linked to a strategic web compromise campaign that targeted a U.S. Department of Labor website, redirecting visitors to attacker-controlled infrastructure.

A particularly notable incident occurred in 2014, when APT19 was responsible for the compromise of Forbes.com. This sophisticated watering hole attack leveraged zero-day vulnerabilities in both Adobe Flash Player and Microsoft Internet Explorer to infect selected targets. Around the same period, they were observed breaching national security think tanks, initially focusing on Southeast Asia policy and later shifting to issues related to Iraq and the Middle East, possibly aligning with Chinese oil interests in the region. APT19 has also been linked to major data breaches impacting U.S. healthcare giants, including CareFirst BlueCross BlueShield, which resulted in the compromise of over a million customer records.

In 2017, the group conducted a significant phishing campaign that targeted at least seven law and investment firms. These attacks utilized malicious RTF attachments exploiting CVE-2017-0199 and later switched to macro-enabled Microsoft Excel documents, sometimes incorporating application whitelisting bypasses. The year 2018 also saw members of APT19 publicly indicted for their involvement in “hacking for hire” activities, further highlighting their hybrid operational model.

Associated Malware & Tools

APT19 possesses a diverse arsenal of malware and tools, often favoring reliable, custom-developed backdoors and publicly available utilities tailored for their operations rather than complex zero-day exploits. This approach allows them to adapt quickly and maintain stealth.

Key components of their toolkit include custom backdoors and web shells, which are fundamental for establishing and maintaining persistence within compromised environments. They also frequently employ credential harvesting utilities to fulfill their core motivation of data theft and access acquisition.

Among the more widely recognized tools in their possession are:

  • C0d0so0: A custom backdoor with both HTTP and Port 22 variants, designed for command execution and remote control, known for compressing and encoding network traffic to evade detection.
  • Cobalt Strike: A legitimate penetration testing suite frequently abused by APT19 for post-exploitation tasks, including lateral movement, command and control, and payload delivery. They have also been known to use modified versions, such as “Cobalt Strike Cat,” for enhanced evasion.
  • Derusbi: A sophisticated backdoor known for its customized builds, tailored specifically for individual campaigns within Chinese cyber-espionage operations.
  • Empire (EmpireProject): A post-exploitation framework used to generate obfuscated PowerShell macros embedded in malicious documents.
  • 9002 RAT: A Remote Access Trojan deployed for surveillance and data theft.
  • Fire Chili: A rootkit used to deeply embed and hide within compromised systems, enhancing their defense evasion capabilities.
  • Poison Ivy: Another well-known Remote Access Trojan that has been associated with APT19’s operations.

APT19 strategically selects these tools to facilitate lateral movement, maintain command and control, and exfiltrate data across various compromised networks, prioritizing operational effectiveness over technical novelty.

Current Status

APT19 remains an active and formidable cyber threat actor. Despite observations suggesting a decrease in their overt operations at times, the group continues to conduct campaigns that bear the distinct hallmarks of their established tradecraft. This indicates a likely reorganization rather than a cessation of activities, with APT19 maintaining its relevance and posing a continuous danger to entities worldwide.

The group has engaged in sustained cyber espionage operations for over a decade, with reports indicating continued, albeit sometimes smaller-scale, operations from 2019 up to at least 2023 (in the context of the search results). Their methodical, access-based approach, coupled with a focus on long-term access and exploitation of compromised credentials, renders them a particularly dangerous adversary. Organizations must remain vigilant and prioritize robust identity and access management defenses to counter the persistent threat posed by APT19.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call