BlackTech (G0098) Threat Profile: Chinese Cyber Espionage Group
- Suspected Origin
- China
- Motivation
- Espionage, Intelligence Collection, Military Modernization, Geopolitical Influence, Intellectual Property Theft
- Aliases
- Palmerworm
- Target Sectors
- Government, Military, Telecommunications, Media, Construction, Engineering, Electronics, Financial, Technology, Defense Industrial Base
- Associated Malware
- PLEAD, DRIGO, BIFROST, BIFROSE, KIVARS, XBOW, Waterbear, BTSDoor, FakeDead, TSCookie, FrontShell, BendyBear, FlagPro, IconDown, SpiderPig, SpiderSpring, SpiderStack, Consock, Waship, Dalwit, Nomri
Overview
BlackTech, also tracked as Palmerworm (and by other aliases such as Circuit Panda, Canary Typhoon, Earth Hundun, HUAPI, Manga Taurus, Red Djinn, T-APT-03, and Temp.Overboard), is a highly sophisticated cyber espionage group suspected of operating on behalf of the Chinese government. Active since at least 2010, the group’s primary objective is intelligence collection, aligning with China’s strategic interests in regional security, military modernization, international diplomacy, and high-technology advancement. BlackTech is not driven by financial gain but by long-term strategic espionage goals, focusing on establishing persistent surveillance and exfiltrating sensitive data and intellectual property.
The group initially concentrated its efforts on targets in East Asia, particularly Taiwan, Japan, and Hong Kong. However, in recent years, their targeting has expanded, with increased activity observed against organizations in the United States and other Western nations. BlackTech targets a broad spectrum of sectors, including government agencies, military organizations, telecommunications providers, media, construction, engineering, electronics, and financial companies. A key characteristic of BlackTech’s operations is its emphasis on stealth and persistence, often compromising network infrastructure rather than merely endpoint devices. They are adept at exploiting trusted relationships, frequently using compromised international subsidiaries as a pivot point to gain access to the headquarters of multinational corporations, especially those supporting the US and Japanese militaries.
Tactics & Techniques
BlackTech employs a diverse array of tactics, techniques, and procedures (TTPs) designed for stealth, persistence, and defense evasion. Initial access is commonly achieved through spear-phishing campaigns, utilizing malicious attachments (such as weaponized Word or Excel documents) or links to cloud storage services. These attachments often employ the right-to-left-override (RTLO) technique to obfuscate filenames, further deceiving victims. The group is also known to exploit various vulnerabilities, including those in Microsoft Office (CVE-2012-0158, CVE-2014-6352, CVE-2017-0199), Adobe Flash (CVE-2015-5119), and Microsoft Internet Information Services (IIS) 6.0 (CVE-2017-7269).
For persistence and defense evasion, BlackTech utilizes several advanced techniques. A particularly noteworthy TTP is their capability to modify router firmware without detection, allowing them to establish backdoors, disable logging, conceal configuration changes, and hide commands within compromised network infrastructure. They leverage these compromised routers, often branch office appliances, as staging vehicles for lateral movement and to proxy C2 traffic, blending in with legitimate corporate network activity.
Another common evasion technique involves using stolen code-signing certificates to sign their malicious payloads, making them appear legitimate and thus more challenging for security software to detect. BlackTech also heavily relies on “living off the land” (LotL) tactics, employing native system tools and dual-use software like Putty, SNScan, and PsExec to conduct reconnaissance, move laterally, and exfiltrate data, which helps them blend in with normal network activities and evade endpoint detection solutions. Additional techniques include DLL side-loading and API hooking to monitor, intercept, and modify API calls. The group demonstrates significant patience, often remaining undetected on compromised systems for extended periods, sometimes up to a year.
Notable Campaigns
BlackTech has been linked to several significant cyber espionage campaigns over the past decade.
- PLEAD, Shrouded Crossbow, and Waterbear Campaigns: As early as 2017, security researchers identified three interconnected campaigns—PLEAD, Shrouded Crossbow, and Waterbear—attributed to BlackTech. The PLEAD campaign, active since 2012, focused on information theft from Taiwanese government agencies and private organizations, using its namesake backdoor and the DRIGO exfiltration tool. Shrouded Crossbow targeted privatized agencies, government contractors, and companies in consumer electronics, computer, healthcare, and financial sectors, employing BIFROSE, KIVARS, and XBOW backdoors.
- Taiwanese Government Attacks (2018): In 2020, Taiwanese government officials publicly attributed a series of attacks beginning in 2018 to BlackTech, targeting at least 10 government agencies and four technology companies. These attacks reportedly compromised over 6,000 email accounts belonging to officials.
- 2019-2020 Campaign (Symantec): A campaign observed by Symantec, active from August 2019 into 2020, targeted media, construction, engineering, electronics, and financial sectors across Japan, Taiwan, the U.S., and China. This campaign notably marked the first observed direct targeting of the US by BlackTech and involved a new suite of custom malware families.
- Router Firmware Compromises (2023): A joint cybersecurity advisory released in September 2023 by CISA, NSA, FBI, and Japanese agencies highlighted BlackTech’s ongoing capabilities in modifying router firmware without detection and exploiting domain-trust relationships. These operations aimed at pivoting from international subsidiaries to the headquarters of US and Japanese companies.
Associated Malware & Tools
BlackTech consistently updates its arsenal, utilizing both custom-developed malware and legitimate dual-use tools.
Custom Malware Families include:
- PLEAD: A backdoor used for information theft.
- DRIGO: An exfiltration tool specifically designed to locate and steal confidential documents.
- BIFROST (and variants like BIFROSE, KIVARS, XBOW): The group acquired and enhanced the source code for BIFROST, creating sophisticated backdoors, some of which communicate via the Tor protocol and target UNIX-based systems.
- Waterbear: Another backdoor, often used in conjunction with other BlackTech malware.
- BTSDoor: A backdoor typically delivered via spear-phishing, designed to establish covert command and control (C2) channels.
- FakeDead (aka TSCookie): A modular infostealer and loader that employs evasion techniques such as code obfuscation and process injection, often used to deploy TSCookieRAT for persistence.
- FrontShell: A downloader module specifically used for FakeDead.
- BendyBear & FlagPro: Backdoors and downloaders targeting various operating systems, including Windows, Linux, and FreeBSD.
- IconDown, SpiderPig, SpiderSpring, SpiderStack: Additional custom malware families observed in their operations.
- Consock, Waship, Dalwit, Nomri: A suite of previously undocumented backdoors identified in their 2019-2020 campaigns.
Dual-use and Legitimate Tools commonly abused by BlackTech include:
- Putty: Used for remote access.
- SNScan: Utilized for network reconnaissance to identify potential targets.
- PsExec: A legitimate Microsoft tool leveraged for lateral movement within compromised networks.
- WinRAR: Used for archiving and delivering malicious payloads.
- Microsoft PowerShell: Employed for reconnaissance and to inject fileless malware. BlackTech also develops custom scripts and binary files tailored to specific target environments.
Current Status
BlackTech remains an active and highly persistent threat actor, with operations continuing into 2025 and beyond. Recent intelligence, including a joint advisory from US and Japanese cybersecurity agencies in September 2023, confirms their ongoing sophistication and evolving tactics. The group has notably improved its strategies and tools, placing a significant emphasis on compromising network infrastructure, including edge devices, VPNs, and routers. This infrastructure-centric approach allows BlackTech to maintain stealth and persistence over long periods, making them a formidable challenge for network defenders. Organizations, particularly those in East Asia and Western nations, and those operating in critical sectors, must remain vigilant and implement robust defenses against this adaptable and state-sponsored threat.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call