>samit_hota
Back to adversary profiles
G1023HighActive

APT5 (Mulberry Typhoon): Profile of a Sophisticated China-Based Espionage Actor

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intellectual Property Theft
Aliases
Mulberry Typhoon, MANGANESE, BRONZE FLEETWOOD, Keyhole Panda, UNC2630
Target Sectors
Telecommunications, Aerospace, Defense, High-Tech, Government, Technology, Satellite Communications
Associated Malware
Elise, LStudio, Samurai, BRIGHTCREST, SWEETCOLA, SLOWPULSE, RADIALPULSE, ATRIUM, BLOODMINE, THINBLOOD, CLEANPULSE, gh0st RAT
#threat-actor#g1023

Overview

APT5 (G1023), also known by aliases such as Mulberry Typhoon, MANGANESE, BRONZE FLEETWOOD, Keyhole Panda, and UNC2630, is a highly sophisticated cyber espionage group. This actor is widely attributed to China and has been active since at least 2007. Its primary motivation is cyber espionage, aiming to collect intelligence, sensitive information, and intellectual property aligned with China’s strategic objectives.

The group’s targeting is broad but strategically focused, predominantly impacting the telecommunications, aerospace, and defense industries. Beyond these core sectors, APT5 also targets high-tech and government entities. A particular emphasis has been observed on satellite communications technology and regional telecommunications providers. Geographically, their operations span the U.S., Europe, and Asia, with a notable focus on Southeast Asian nations such as Vietnam, the Philippines, and Indonesia, as well as critical U.S. territories like Guam. APT5 is understood to be a large threat group, often comprising several subgroups, each potentially operating with distinct tactics and infrastructure.

Tactics & Techniques

APT5 exhibits advanced tradecraft, consistently adapting its tactics, techniques, and procedures (TTPs) to achieve long-term persistence and evade detection. Their initial access methods frequently involve exploiting public-facing applications, particularly vulnerabilities in networking devices. They are renowned for leveraging zero-day exploits, as well as rapidly weaponizing newly disclosed vulnerabilities.

A key focus for APT5 has been the exploitation of various Virtual Private Network (VPN) appliances and Application Delivery Controllers (ADCs). Notable past campaigns include the exploitation of vulnerabilities in Pulse Secure VPNs (CVE-2019-11510, CVE-2018-13379, CVE-2021-22893) and Citrix ADCs (CVE-2022-27518). These exploits often enable pre-authenticated remote code execution, granting the group initial access to victim networks and bypassing normal authentication controls. Beyond exploiting network infrastructure, APT5 also utilizes spear-phishing emails and watering hole attacks to gain initial footholds. In some instances, they have been observed compromising small office/home routers to build infrastructure for their operations.

Once inside a network, APT5 deploys custom malware and Remote Access Trojans (RATs) to maintain persistence. They frequently install web shells on compromised servers, including VPN appliances, to ensure continued access. The group is also known for creating local administrator accounts, which can bypass existing credential management controls, and modifying legitimate binaries and scripts (e.g., the DSUpgrade.pm file for Pulse Secure VPNs) to install backdoors like the ATRIUM webshell.

For defense evasion, APT5 employs meticulous operational security measures. They routinely clear SSL VPN log files, command histories on ESXi servers, and delete scripts and web shells to remove forensic evidence. They have been observed modifying file timestamps to obscure their activities and use legitimate system utilities (“living off the land”) to blend in with normal network traffic. Command and control (C2) communications often utilize encrypted channels and legitimate network protocols, and data is frequently staged in common user directories (e.g., C:\Users\Public) before exfiltration.

Credential access is a high priority, with APT5 using malware with keylogging capabilities and employing tools like Mimikatz to dump cleartext passwords and NTLM hashes from memory. They also harvest credentials from VPN login flows and copy the Security Account Manager (SAM) Registry hive from targeted systems. Lateral movement within compromised environments is achieved through RDP, SSH (including access to ESXi host servers), and by leveraging stolen legitimate account credentials. The group also establishes and utilizes Operational Relay Box (ORB) networks, composed of compromised systems and acquired Virtual Private Servers, to proxy and obfuscate their C2 traffic. Data exfiltration is typically performed using encrypted channels, legitimate network protocols, and often involves compressing files into JAR/ZIP formats, sometimes naming archives to mimic Windows Updates (e.g., KB<digits>.zip) to further evade detection.

Notable Campaigns

APT5 has been linked to several significant campaigns throughout its history. One early campaign, dubbed Operation Lotus Blossom, targeted high-profile organizations across Southeast Asia, including compromising Vietnamese government networks and military and defense contractors in the Philippines to steal sensitive information.

Between 2019 and 2021, APT5, particularly under the alias UNC2630, heavily engaged in widespread exploitation of Pulse Secure VPN vulnerabilities. They rapidly leveraged publicly disclosed vulnerabilities like CVE-2019-11510 and CVE-2018-13379 to obtain VPN session data and credentials. Later, they exploited a zero-day vulnerability, CVE-2021-22893, in fully patched Pulse Secure devices, targeting U.S. defense contractors and government organizations. This campaign involved deploying multiple web shells, including ATRIUM and SLIGHTPULSE, and custom malware families.

In late 2022, APT5 was identified exploiting a zero-day vulnerability, CVE-2022-27518, in Citrix Application Delivery Controllers (ADCs) and Gateway devices, which allowed pre-authenticated remote code execution. The National Security Agency (NSA) issued specific threat hunting guidance in December 2022, detailing artifacts and TTPs associated with this activity.

The group is also associated with SPACEHOP Activity, a network of compromised systems leveraged by APT5 and other China-nexus threat actors. This network has been used for extensive network reconnaissance, scanning, and vulnerability exploitation, primarily targeting entities in North America, Europe, and the Middle East. More recently, in 2023, under its alias Mulberry Typhoon, APT5 continued to target the U.S. defense industrial base, notably with zero-day device exploits, and focused on satellite communications and telecommunications infrastructure in Guam.

Associated Malware & Tools

APT5 employs a diverse arsenal of custom malware and legitimate tools. Historically, they have used malware families such as Elise, LStudio, and Samurai. Other notable custom tools include HTTPTunnel, and backdoors like BRIGHTCREST and SWEETCOLA. They have also utilized the well-known gh0st RAT.

During campaigns targeting Pulse Secure VPNs, APT5 developed and deployed a specific set of tools:

  • SLOWPULSE and RADIALPULSE: Malware families designed to compromise Pulse Secure VPN appliances.
  • ATRIUM and SLIGHTPULSE: Web shells installed on compromised VPN devices for persistence.
  • BLOODMINE: A utility used to parse and extract information from Pulse Secure Connect log files.
  • BLOODBANK: A credential theft utility that parses files containing plaintext hashes or passwords.
  • THINBLOOD: Used to clear SSL VPN log files.
  • CLEANPULSE: A utility that inserts command line strings into targeted processes to prevent specific log events or alter functionality.

Beyond their custom tooling, APT5 leverages various “living off the land” techniques, using native Windows utilities such as PowerShell, cmd.exe, and tasklist.exe for execution and reconnaissance. They are also known to use Mimikatz for credential dumping.

Current Status

APT5 remains an active and formidable threat actor, with recent reporting indicating continuous operations through at least late 2023 and into 2024. The group maintains its focus on strategic cyber espionage against high-value targets in the telecommunications, aerospace, and defense sectors, particularly those with military applications or critical infrastructure ties in the U.S., Europe, and Asia.

Their continued emphasis on exploiting public-facing network devices and utilizing zero-day vulnerabilities underscores their advanced capabilities and resourcefulness. APT5 consistently demonstrates a high level of operational security, as evidenced by their efforts to remove forensic artifacts from compromised systems. Given their persistent nature and alignment with nation-state objectives, APT5 continues to pose a significant and ongoing threat to global critical infrastructure and sensitive information.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call