Also known as: Vixen Panda, Ke3chang, Royal APT, and Playful Dragon
Suspected attribution: Chinese government
Target sectors: Defense, high tech, energy, government, aerospace, manufacturing and other sectors.
Overview: APT15 is known for committing cyberespionage against companies and organizations located in many different countries, targeting different sectors such as the oil industry, government contractors, military, and more. They are known for “living off the land,” meaning they use already available tools and software installed on the computer to operate, and once inside a target network, they will tailor their malware specifically to the target. Other names for the group are Vixen Panda, Ke3chang, Royal APT, and Playful Dragon.
Attack vectors: not yet fully disclosed
IOC’s: Download from GitHub here.
Royal DNS: bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d>
MS Exchange Tool: 16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce
The RoyalCli backdoor was attempting to communicate to the following domains:
The BS2005 backdoor utilised the following domains for C2:
RoyalDNS backdoor was seen communicating to the domain:
Possible linked APT15 domains include:
During our analysis of the decoded attacker commands we noticed a typographical mistake, shown below in the folder name 'systme'. This indicates that a human operative was executing commands on a command line style interface, rather than an automated or GUI process.