>samit_hota
Back to adversary profiles
G0114HighActive

Chimera (G0114): Enduring Espionage in High-Tech and Aviation

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intellectual Property Theft, Data Theft
Aliases
None documented
Target Sectors
Semiconductor, Aviation, High-Tech
Associated Malware
Cobalt Strike, Skeleton Key Injector, DSInternals PowerShell module, Mimikatz, BloodHound, PsExec, modified WinRAR, gzip, custom Python tool (Get.exe)
#threat-actor#g0114

Overview

Chimera, identified by MITRE ATT&CK as G0114, is a sophisticated and patient threat actor that has been active since at least 2018. This group is strongly suspected to be China-based and is believed to operate in support of Chinese state interests, focusing heavily on cyber espionage. They have been tracked by various security researchers under aliases such as Bronze Vapor (SecureWorks), Red Charon (PWC), THORIUM (Microsoft), Tumbleweed Typhoon (Microsoft), and Nuclear Taurus (Palo Alto).

The primary motivation behind Chimera’s operations is information theft and espionage. This includes the highly strategic acquisition of intellectual property, such as IC chip designs, software development kits, source code, and firmware documentation, from the semiconductor industry. Beyond this, Chimera also targets the airline industry to steal passenger data, which is likely used for tracking specific individuals like executives, researchers, or government officials, indicating an intelligence gathering objective. Their activities have predominantly targeted Taiwan’s critical semiconductor manufacturing sector, which plays a crucial role in the global technology supply chain, but their scope has expanded to other chipmaking firms worldwide, and they’ve been observed targeting entities in the Netherlands and other geographical areas.

Tactics & Techniques

Chimera’s operational methodology is characterized by patience and precision, often maintaining a long dwell time within compromised networks, sometimes for years, before detection. Their initial access typically relies on credential-based attacks. They commonly harvest valid credentials from public breach databases and dark web dumps, then use these in credential stuffing or password spraying attacks against internet-facing services like VPNs, webmail, and Citrix portals. Phishing is also a likely method for credential harvesting.

Once initial access is gained, Chimera establishes persistence through various methods, including creating scheduled tasks to invoke tools like Cobalt Strike and abusing legitimate accounts, including domain accounts. They also employ DLL sideloading, abusing legitimate applications to load malicious DLLs, making detection harder as the malicious code runs within trusted processes. For privilege escalation, they leverage techniques like scheduled tasks and valid domain accounts.

Lateral movement is a key strength for Chimera, facilitated by tools like Cobalt Strike beacons, RDP, Windows admin shares, and WinRM. A notable technique involves the deployment of a custom Active Directory tool called “Skeleton Key Injector,” which can compromise domain controllers to implant a general key, effectively granting the adversary universal access across the entire domain. This enables them to move through networks with ease, masquerading as legitimate users.

For command and control, Chimera frequently uses Cobalt Strike beacons and leverages public cloud services, including Google Cloud Platform and Microsoft cloud services, to host their C2 infrastructure, making attribution and tracking more challenging.

Discovery efforts involve a wide array of commands and tools. They use fsutil fsinfo drives, systeminfo, and vssadmin list shadows to gather system information. Network scanning is performed using a custom Python tool packed as Get.exe and commands like get -b -e -p. They enumerate network shares with net share and net view, identify domain trust relationships with nltest /domain_trusts, and use ipconfig, Ping, and tracert for local network enumeration. They also utilize DSInternals PowerShell module for Active Directory operations.

Credential access is a critical part of their playbook. Chimera collects credentials from previous breaches and employs password spraying and credential stuffing. They have been observed dumping password hashes from domain users by obtaining the SYSTEM registry and ntds.dit files, specifically using tools like NtdsAudit or the DSInternals PowerShell module. In some cases, they’ve even registered alternate phone numbers for compromised users to intercept two-factor authentication (2FA) codes sent via SMS.

Defense evasion is deeply integrated into their operations. They rename malware to appear legitimate (e.g., GoogleUpdate.exe, jucheck.exe) and use DLL sideloading. They clear event logs, perform file deletion, and timestomp (modify file timestamps) to obscure their activities. PowerShell commands are often encoded to avoid detection. The “Skeleton Key Injector” malware also serves as a potent defense evasion technique by allowing unauthenticated access.

For data collection, Chimera targets documents from SharePoint, network shares, and remote mailboxes. They actively seek out intellectual property like IC designs, SDKs, source code, and firmware. Stolen data is often staged locally on compromised hosts or on designated servers within the victim environment before exfiltration. Exfiltration is commonly conducted via Cobalt Strike C2 beacons or by uploading data to cloud storage services like OneDrive accounts. They’ve also been observed using modified WinRAR and gzip to archive and compress data.

Notable Campaigns

The most prominent campaign associated with Chimera is “Operation Skeleton Key,” identified by CyCraft. This operation, active between late 2018 and late 2019, specifically targeted Taiwanese semiconductor vendors. During this campaign, the group demonstrated their ability to persist within victim networks for extended periods, sometimes over a year, compromising numerous endpoints and accounts. The campaign notably involved the use of the “Skeleton Key Injector” malware to compromise Active Directory servers, providing pervasive access throughout the victim’s domain. Reports also indicate that Chimera may be linked to a long-running intrusion into chipmaker NXP, where attackers spent over two years looting secrets before detection, starting as early as late 2017.

Associated Malware & Tools

Chimera employs a blend of commercially available penetration testing tools and custom-built malware. The centerpiece of their toolset is Cobalt Strike, which serves as their primary remote access and command-and-control (C2) platform. They deploy Cobalt Strike beacons for persistent access and command execution across victim networks.

Another critical custom tool is the Skeleton Key Injector. This specialized Active Directory tool is designed to compromise domain controllers and implant a “skeleton key” that grants access without valid credentials. The Skeleton Key Injector is understood to contain code extracted from other tools like Dumpert and Mimikatz, showcasing Chimera’s ability to synthesize and customize existing capabilities.

Other legitimate and readily available tools frequently leveraged by Chimera include:

  • DSInternals PowerShell module: Used for various Active Directory operations, including credential extraction.
  • Mimikatz: For dumping credentials.
  • BloodHound: For network mapping and identifying attack paths.
  • PsExec: For lateral movement and execution.
  • Modified WinRAR: Used for archiving and compressing data before exfiltration on Windows systems.
  • gzip: Used for data archiving on Linux hosts.
  • Custom Python tool (Get.exe): Employed for network scanning.
  • Custom DLLs: Utilized for persistence through DLL sideloading.

Current Status

Chimera remains an active and relevant threat. The group has been continuously monitored by security researchers since at least 2018. While some of the publicly detailed campaigns, such as “Operation Skeleton Key,” concluded around late 2019, threat intelligence reports from early 2021 by NCC Group and Fox-IT confirm ongoing activity involving Chimera, particularly their abuse of cloud services for data exfiltration. The MITRE ATT&CK entry for Chimera (G0114) was last modified in September 2024, indicating that the group’s tactics, techniques, and procedures are still actively tracked and considered relevant in the threat landscape. Their strategic targeting of high-value intellectual property and sensitive data suggests a persistent, state-sponsored cyber espionage agenda. Organizations in the semiconductor and aviation sectors, particularly those with ties to Taiwan, should maintain a high level of vigilance against Chimera’s sophisticated and patient methods.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call