Skip to content

Hide Navigation Hide TOC

PLATINUM (154e97b5-47ef-415a-99a6-2157f1b50339)

PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.

Cluster A Galaxy A Cluster B Galaxy B Level
PLATINUM (154e97b5-47ef-415a-99a6-2157f1b50339) Microsoft Activity Group actor PLATINUM (1fc5671f-5757-43bf-8d6d-a9a93b03713a) Threat Actor 1
PLATINUM (154e97b5-47ef-415a-99a6-2157f1b50339) Microsoft Activity Group actor PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 1
PLATINUM (1fc5671f-5757-43bf-8d6d-a9a93b03713a) Threat Actor PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
adbupd - S0202 (0f1ad2ef-41d4-4b7a-9304-ddae68ea3005) Malware PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set Dipsind - S0200 (e170995d-4f61-4f17-b60e-04f9a06ee517) Malware 2
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern PLATINUM - G0068 (f9c06633-dcff-48a1-8588-759e7cec5694) Intrusion Set 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern adbupd - S0202 (0f1ad2ef-41d4-4b7a-9304-ddae68ea3005) Malware 3
adbupd - S0202 (0f1ad2ef-41d4-4b7a-9304-ddae68ea3005) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
adbupd - S0202 (0f1ad2ef-41d4-4b7a-9304-ddae68ea3005) Malware Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware 3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware 3
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware 3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
JPIN - S0201 (de6cb631-52f6-4169-a73b-7965390b0c30) Malware BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern 3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern Dipsind - S0200 (e170995d-4f61-4f17-b60e-04f9a06ee517) Malware 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Dipsind - S0200 (e170995d-4f61-4f17-b60e-04f9a06ee517) Malware 3
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern Dipsind - S0200 (e170995d-4f61-4f17-b60e-04f9a06ee517) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Dipsind - S0200 (e170995d-4f61-4f17-b60e-04f9a06ee517) Malware 3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Dipsind - S0200 (e170995d-4f61-4f17-b60e-04f9a06ee517) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Dipsind - S0200 (e170995d-4f61-4f17-b60e-04f9a06ee517) Malware 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Dipsind - S0200 (e170995d-4f61-4f17-b60e-04f9a06ee517) Malware 3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 4
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 4
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 4
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4