Skip to content

Hide Navigation Hide TOC

Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015)

Cluster A Galaxy A Cluster B Galaxy B Level
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 1
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 2
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 2