Executive Assessment

APT10 is a long-running China-nexus cyber-espionage actor associated in public U.S. government attribution with China’s Ministry of State Security, specifically the Tianjin State Security Bureau, and with contractors at Huaying Haitai Science and Technology Development Company. Public reporting places APT10 activity as active from at least 2006 or 2009, depending on the source taxonomy, with a strategic focus on intellectual property theft, government intelligence collection, and access through managed service providers. (Department of Justice)

APT10’s defining operational pattern is not a single malware family but an access strategy: compromise organizations with privileged access into other organizations, especially MSPs and IT service providers, then use those trusted relationships to reach downstream targets. Operation Cloud Hopper remains the canonical case study for this model, with APT10 using MSP access to compromise client environments across multiple sectors and geographies. (Department of Justice)

The actor’s historical targeting aligns with Chinese state requirements for economic, defense, technological, diplomatic, and strategic intelligence. Public sources describe targeting of healthcare, defense, aerospace, finance, maritime, biotechnology, energy, government, IT services, manufacturing, mining, telecommunications, satellite technology, and other advanced technology sectors. (MITRE ATT&CK)

Attribution and Naming

APT10 is tracked under multiple names across the CTI ecosystem: MenuPass, Stone Panda, Red Apollo, FUNKY FLAGPOLE, CVNX, POTASSIUM, Cicada, HOGFISH, BRONZE RIVERSIDE, Granite Taurus, and Purple Typhoon, among others. MITRE ATT&CK tracks the group as G0045 / menuPass, while public threat-card repositories also map APT10 to overlapping vendor labels such as Stone Panda, Red Apollo, CVNX, POTASSIUM, Earth Kasha, and Cuckoo Spear. (MITRE ATT&CK)

Attribution confidence for the historic APT10 core intrusion set is high because of the 2018 U.S. Department of Justice indictment naming Zhu Hua and Zhang Shilong, alleging their association with the Tianjin State Security Bureau and Huaying Haitai. Attribution becomes less clean when discussing newer “APT10 umbrella” activity, especially Earth Kasha, LODEINFO, and Cuckoo Spear reporting, where some vendors distinguish related intrusion sets rather than treating them as identical to legacy APT10. (Department of Justice)

Strategic Intent

APT10’s operational objective is best assessed as strategic espionage. The group has repeatedly targeted intellectual property, confidential business information, government data, defense-related information, and technology-sector secrets. DOJ reporting states that the group targeted more than 45 technology companies and MSPs, while NCSC reporting identifies broad sector targeting for likely intellectual property theft. (Department of Justice)

The MSP targeting model materially increases strategic value because a single compromise can provide access to multiple client environments. This approach reduces the need for direct intrusion against every final target and creates opportunities for broad collection, credential reuse, lateral movement, and persistent downstream access. (Department of Justice)

Operational History

From roughly 2006 through 2018, U.S. authorities allege that APT10 conducted global computer intrusion campaigns targeting intellectual property and confidential business information. The indictment specifically describes targeting of MSPs, more than 45 technology companies, and U.S. government agencies, including theft of personally identifiable information relating to more than 100,000 U.S. Navy personnel. (Department of Justice)

In 2016 and 2017, APT10 activity surged globally. FireEye/Mandiant reporting described activity across six continents and targeting of manufacturing companies in India, Japan, and Northern Europe, a South American mining company, and multiple IT service providers. That same reporting identified new or expanded tooling, including HAYMAKER, SNUGRIDE, BUGJUICE, SOGU, and customized QUASARRAT. (Google Cloud)

By late 2018, the UK NCSC assessed that APT10 continued to affect UK organizations across a broad range of sectors and that this activity was likely facilitated by targeting of MSPs and other outsourcing providers. NCSC also noted that infections could spread onward to customers or supply-chain entities, which reinforces the group’s trusted-access operational model.

More recent reporting introduces a related but more nuanced picture. Trend Micro tracks Earth Kasha as related to the “APT10 Umbrella” but not necessarily identical to APT10; its 2024 reporting noted LODEINFO use against Japan, Taiwan, and India, including exploitation of public-facing applications such as SSL-VPN and file-storage services. In March 2025, Trend Micro observed Earth Kasha targeting Taiwan and Japan using spear-phishing, malicious Excel content, ANEL, possible SharpHide use, and NOOPDOOR as a second-stage backdoor. (www.trendmicro.com)

Cybereason’s Cuckoo Spear reporting ties multiple incidents to the APT10 intrusion set and describes long-duration stealthy persistence in Japanese victim networks, with NOOPDOOR and NOOPLDR as important elements of the newer arsenal. This should be treated as moderate-to-high confidence for linkage to the broader APT10 ecosystem, but not as simple evidence that every LODEINFO or Earth Kasha event is legacy APT10. (Cybereason)

Tactics, Techniques, and Procedures

Initial Access

APT10 has used spear-phishing with malicious Office documents, executables disguised as documents, and malicious files requiring user execution. MITRE maps this behavior to T1566.001 Spearphishing Attachment and T1204.002 User Execution: Malicious File. (MITRE ATT&CK)

The group also abuses trusted relationships, especially MSP access, mapped to T1199 Trusted Relationship. This is one of the actor’s most important strategic TTPs because it allows APT10 to move from service-provider environments into customer networks using legitimate administrative channels and shared credentials. (MITRE ATT&CK)

Related “APT10 umbrella” reporting shows an additional shift toward exploitation of public-facing infrastructure, including SSL-VPN and file-storage products, as observed in Earth Kasha campaigns against Japan, Taiwan, and India. Trend Micro cites abuse of vulnerabilities affecting Array AG, Proself, and FortiOS/FortiProxy in that context. (www.trendmicro.com)

Execution and Persistence

APT10 has used command-line execution, PowerShell, malicious macros, DLL search-order hijacking, InstallUtil, WMI, scheduled tasks, and legitimate administrative tools. MITRE maps these behaviors to techniques including T1059.001 PowerShell, T1059.003 Windows Command Shell, T1218.004 InstallUtil, T1047 Windows Management Instrumentation, and T1053.005 Scheduled Task. (MITRE ATT&CK)

Malware families and tools associated with APT10 include SOGU, HAYMAKER, SNUGRIDE, BUGJUICE, QUASARRAT, RedLeaves, PlugX, UPPERCUT/ANEL, ChChes, and, in newer related reporting, LODEINFO, NOOPDOOR, and NOOPLDR. FireEye/Mandiant described HAYMAKER and SNUGRIDE as first-stage backdoors and BUGJUICE and customized QUASARRAT as second-stage backdoors during the 2016–2017 resurgence. (Google Cloud)

Credential Access and Lateral Movement

APT10 has used valid accounts, credential dumping, Ntdsutil, modified pentest tooling such as wmiexec.vbs and secretsdump.py, RDP, SSH, SMB/admin shares, WMI, and scheduled-task execution for lateral movement. MITRE maps these behaviors to T1078 Valid Accounts, T1003 OS Credential Dumping, T1021 Remote Services, T1047 WMI, and T1053.005 Scheduled Task. (MITRE ATT&CK)

The MSP model amplifies lateral movement risk because APT10 can use valid administrative relationships between service providers and customers. This is operationally distinct from commodity intrusion: the adversary may appear as a legitimate service account, support workflow, RMM session, or administrative connection. (MITRE ATT&CK)

Collection and Exfiltration

APT10 has collected local files, data from network shared drives, Active Directory information, and staged data before exfiltration. MITRE maps this to T1005 Data from Local System, T1039 Data from Network Shared Drive, T1119 Automated Collection, T1074 Data Staged, and T1560 Archive Collected Data. (MITRE ATT&CK)

The group has compressed and encrypted data prior to exfiltration, including use of TAR and RAR in prior reporting. Staging has included local and remote staging, with MITRE noting multi-part archives and remote MSP systems or victim networks as staging locations in historical activity. (MITRE ATT&CK)

Defensive Assessment

Organizations facing the highest exposure to APT10 are those that either hold strategically valuable data or serve as access brokers into other environments. This includes managed service providers, managed security service providers, IT outsourcing firms, cloud service integrators, defense contractors, aerospace companies, healthcare and biotechnology firms, telecommunications providers, maritime organizations, energy-sector entities, government agencies, and advanced technology manufacturers. The common factor across these sectors is not simply data value, but operational leverage. APT10’s targeting of service providers demonstrates a preference for environments where one compromise can unlock access to many downstream victims.

Defensive priorities therefore need to extend beyond conventional malware detection. APT10’s tradecraft relies heavily on trusted relationships, valid credentials, native administrative tooling, remote access pathways, and service-provider connectivity. As a result, organizations should prioritize controls around identity, delegated access, privileged account governance, remote administration, MSP-to-client segmentation, and outbound traffic monitoring. Pure endpoint blocking is insufficient against an actor that can blend into administrative workflows and use legitimate access paths to move laterally, collect data, and maintain persistence.

High-value detection engineering should focus on behavioral patterns that expose this trusted-access model. Analysts should look for unusual MSP-to-client authentication paths, service-account logins outside normal operating windows, unexpected remote administration activity, and anomalous RDP, WMI, or SMB lateral movement. Additional priority detections should cover suspicious execution of tools such as csvde.exe, ntdsutil, net use, robocopy, certutil, InstallUtil.exe, wmiexec, and secretsdump, especially when observed from administrative hosts or service-provider infrastructure. Archive staging in unusual directories, outbound traffic from management servers, and suspicious delivery or exfiltration patterns involving OneDrive or external file-sharing services should also be treated as high-priority investigation leads.

APT10 Threat Card

Field	Assessment
Primary Name	APT10
Common Aliases	MenuPass, Stone Panda, Red Apollo, CVNX, POTASSIUM, Cicada, HOGFISH, BRONZE RIVERSIDE, Granite Taurus, Purple Typhoon
MITRE ID	G0045 / menuPass
Assessed Sponsor	China-nexus; public U.S. attribution links named members to China’s MSS Tianjin State Security Bureau
Associated Contractor	Huaying Haitai Science and Technology Development Company
Active Since	At least 2006 per DOJ/MITRE; at least 2009 per FireEye/NCSC tracking
Primary Motivation	Espionage, intellectual property theft, strategic technology collection, government and defense intelligence
Signature Operational Model	MSP and trusted-relationship compromise to reach downstream customers
Target Geography	Global, with repeated emphasis on Japan, United States, United Kingdom, Europe, India, and Asia-Pacific
Target Sectors	MSPs, IT services, government, defense, aerospace, healthcare, biotechnology, finance, maritime, telecommunications, energy, mining, manufacturing, advanced technology
Key Campaigns	Operation Cloud Hopper; Japanese media/public-sector targeting; APT10 umbrella activity including Earth Kasha and Cuckoo Spear reporting
Common Initial Access	Spear-phishing attachments, malicious Office documents, trusted relationship abuse, exploitation of public-facing applications in related umbrella activity
Common Malware/Tools	SOGU, HAYMAKER, SNUGRIDE, BUGJUICE, QUASARRAT, PlugX, RedLeaves, UPPERCUT/ANEL, ChChes, LODEINFO, NOOPDOOR, NOOPLDR
Common Admin/LOLBins	PowerShell, cmd, WMI, RDP, SMB/admin shares, csvde.exe, certutil, ntdsutil, net use, robocopy, InstallUtil.exe
Collection Pattern	AD enumeration, local and network-share collection, data staging, compression, encryption, exfiltration
Confidence	High for historic APT10 attribution and MSP tradecraft; moderate for newer “APT10 umbrella” clustering where vendors distinguish related intrusion sets

Sources for the card: MITRE ATT&CK, DOJ, NCSC, FireEye/Mandiant, Trend Micro, Cybereason, and ETDA threat-card mapping. (MITRE ATT&CK)

Priority MITRE ATT&CK Mapping

Tactic	Technique	Relevance
Resource Development	T1583.001 Acquire Infrastructure: Domains	Registered malicious domains for intrusion infrastructure
Initial Access	T1566.001 Spearphishing Attachment	Malicious Office documents and disguised executable delivery
Initial Access	T1199 Trusted Relationship	MSP and service-provider access into downstream targets
Initial Access	T1190 Exploit Public-Facing Application	Observed in related APT10 umbrella/Earth Kasha activity
Execution	T1059.001 PowerShell	PowerShell and PowerSploit activity
Execution	T1059.003 Windows Command Shell	Command-line and reverse-shell execution
Defense Evasion	T1140 Deobfuscate/Decode Files or Information	certutil and decoding behavior
Defense Evasion	T1027.013 Encrypted/Encoded File	Encoded malware strings and obfuscation
Credential Access	T1003 OS Credential Dumping	Modified tools, Ntdsutil, secretsdump-style activity
Discovery	T1087.002 Account Discovery: Domain Account	AD enumeration via csvde.exe and related tooling
Discovery	T1018 Remote System Discovery	Network enumeration and net view /domain behavior
Lateral Movement	T1021 Remote Services	RDP, SSH, SMB/admin share movement
Lateral Movement	T1047 Windows Management Instrumentation	WMI lateral execution
Collection	T1005 Data from Local System	File collection from compromised endpoints
Collection	T1039 Data from Network Shared Drive	Network-share collection using mounted shares and Robocopy
Collection	T1074 Data Staged	Local and remote staging before exfiltration
Exfiltration	T1560 Archive Collected Data	TAR/RAR compression and encrypted archives

Technique basis: MITRE ATT&CK’s G0045 / menuPass entry and associated source references. (MITRE ATT&CK)

APT10 should be treated as a strategic supply-chain and trusted-access espionage threat rather than merely a phishing-and-malware actor. The highest-risk exposure is not only direct compromise by APT10 tooling, but compromise of a provider, contractor, cloud integrator, or administrative trust path that gives the actor quiet access into many downstream environments. For defensive prioritization, monitor identity, administrative tooling, delegated access, MSP connectivity, and data staging before focusing narrowly on malware-family signatures.

The IOC appendix below is sourced from the FBI’s APT10 FLASH, FortiGuard’s 2019 APT10 activity report, and MITRE/Mandiant context used to separate actor-linked indicators from broader tooling. FBI’s FLASH explicitly presents the APT10 indicators as high-confidence and includes REDLEAVES, UPPERCUT/ANEL, and CHCHES hash artifacts; FortiGuard provides later APT10-linked loader, PlugX, Quasar, domain, and IP indicators.

A.1 Scope Note

This appendix contains indicators publicly associated with APT10, also tracked as MenuPass, Stone Panda, Red Apollo, CVNX, POTASSIUM, Cicada, HOGFISH, BRONZE RIVERSIDE, Granite Taurus, and Purple Typhoon. Indicators are divided into high-confidence APT10 reporting and APT10-linked or APT10-associated activity. All network indicators are defanged.

These IOCs should be used for retrospective hunting, enrichment, clustering, and detection engineering. Because many indicators are historic and infrastructure may have been abandoned, matches should be triaged against timestamp, endpoint context, process ancestry, authentication telemetry, lateral movement evidence, and data-staging behavior.

A.2.1 Domains and Subdomains

APT10-linked FortiGuard 2019 activity

A.2.2 URLs and URI Paths

A.2.3 IP Addresses

A.2.4 Ports and Protocols

A.3.1 SHA256 Hashes

Loader v1

Loader v2

.NET Downloader

Quasar RAT

A.3.2 MD5 Hashes

REDLEAVES

UPPERCUT / ANEL

CHCHES

A.4.1 Malware Families

A.4.2 Associated Loaders, Payload Names, and Files

A.4.3 Notable File Path

A.5.1 Mutexes

A.5.2 Registry Persistence

A.5.3 Service Names

A.5.4 Service Command Artifact

A.6.1 REDLEAVES Configuration Structure

Observed REDLEAVES communication characteristics:

A.6.2 UPPERCUT / ANEL Beacon Pattern

Decrypted logical structure:

Encryption and encoding artifacts:

A.6.3 CHCHES Beacon Pattern

Decrypted CHCHES cookie structure:

Known fixed value:

C2 response artifact:

Second-stage request pattern:

A.7.1 REDLEAVES Certificate Artifacts

Associated certificate subject noted in reporting:

A.7.2 CHCHES Certificate Artifacts

A.7.3 Quasar Certificate Artifact

1. Treat direct matches on malware hashes, unique mutexes, known malicious domains, and APT10-specific C2 patterns as high-priority triage events.
2. Treat IP-only matches cautiously, especially for historic infrastructure, unless paired with domain resolution, process execution, suspicious authentication, or lateral movement telemetry.
3. Prioritize correlations involving service-provider access paths, delegated administration, RDP, WMI, SMB/admin shares, service creation, archive staging, and outbound traffic from administrative hosts.
4. Do not rely solely on PlugX, Quasar RAT, Poison Ivy, or generic LOLBin usage for attribution. Those tools are not exclusive to APT10.
5. Use this appendix for enrichment and hunting, not as a standalone attribution basis.