TEMPER PANDA (ac4bce1f-b3ec-4c44-bd36-b6cc986b319b)

China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	TEMPER PANDA (ac4bce1f-b3ec-4c44-bd36-b6cc986b319b)	Threat Actor	1
admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	LOWBALL - S0042 (2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b)	Malware	2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	2
admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	Systeminfo - S0096 (7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1)	mitre-tool	2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	2
admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	2
admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	ipconfig - S0100 (294e2560-bd48-44b2-9da2-833b5588ad11)	mitre-tool	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	2
BUBBLEWRAP - S0043 (123bd7b3-675c-4b1a-8482-c55782b20e2b)	Malware	admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	2
admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	2
netstat - S0104 (4664b683-f578-434f-919b-1c1aad2a1111)	mitre-tool	admin@338 - G0018 (16ade1aa-0ea1-4bb7-88cc-9079df2ae756)	Intrusion Set	2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5)	Attack Pattern	3
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	3
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	LOWBALL - S0042 (2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	LOWBALL - S0042 (2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	LOWBALL - S0042 (2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b)	Malware	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Systeminfo - S0096 (7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1)	mitre-tool	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	ipconfig - S0100 (294e2560-bd48-44b2-9da2-833b5588ad11)	mitre-tool	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
BUBBLEWRAP - S0043 (123bd7b3-675c-4b1a-8482-c55782b20e2b)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
BUBBLEWRAP - S0043 (123bd7b3-675c-4b1a-8482-c55782b20e2b)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
BUBBLEWRAP - S0043 (123bd7b3-675c-4b1a-8482-c55782b20e2b)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	3
netstat - S0104 (4664b683-f578-434f-919b-1c1aad2a1111)	mitre-tool	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	3
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	4
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	4
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	4
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	4
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	4
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	4
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	4
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	4
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	4
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	4
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	4
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	5
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	5
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Torn RAT (32a67552-3b31-47bb-8098-078099bbc813)	Tool	5
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738)	Malpedia	6
APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	6