Ke3chang
Aliases: APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL, Nylon Typhoon
Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.
Open interactive actor investigation
ATT&CK techniques
T1114.002
Remote Email CollectionT1105
Ingress Tool TransferT1087.001
Local AccountT1033
System Owner/User DiscoveryT1614.001
System Language DiscoveryT1087.002
Domain AccountT1140
Deobfuscate/Decode Files or InformationT1558.001
Golden TicketT1021.002
SMB/Windows Admin SharesT1041
Exfiltration Over C2 ChannelT1119
Automated CollectionT1083
File and Directory DiscoveryT1133
External Remote ServicesT1018
Remote System DiscoveryT1003.002
Security Account ManagerT1016
System Network Configuration DiscoveryT1588.002
ToolT1020
Automated ExfiltrationT1007
System Service DiscoveryT1543.003
Windows ServiceT1190
Exploit Public-Facing ApplicationT1036.005
Match Legitimate Name or LocationT1569.002
Service ExecutionT1005
Data from Local SystemT1071.004
DNST1213.002
SharepointT1027
Obfuscated Files or InformationT1059
Command and Scripting InterpreterT1036.002
Right-to-Left OverrideT1560
Archive Collected DataT1069.002
Domain GroupsT1560.001
Archive via UtilityT1003.003
NTDST1057
Process DiscoveryT1003.001
LSASS MemoryT1587.001
MalwareT1071.001
Web ProtocolsT1059.003
Windows Command ShellT1078
Valid AccountsT1547.001
Registry Run Keys / Startup FolderT1049
System Network Connections DiscoveryT1056.001
KeyloggingT1003.004
LSA SecretsT1078.004
Cloud AccountsT1082
System Information Discovery
Remote Email CollectionT1105
Ingress Tool TransferT1087.001
Local AccountT1033
System Owner/User DiscoveryT1614.001
System Language DiscoveryT1087.002
Domain AccountT1140
Deobfuscate/Decode Files or InformationT1558.001
Golden TicketT1021.002
SMB/Windows Admin SharesT1041
Exfiltration Over C2 ChannelT1119
Automated CollectionT1083
File and Directory DiscoveryT1133
External Remote ServicesT1018
Remote System DiscoveryT1003.002
Security Account ManagerT1016
System Network Configuration DiscoveryT1588.002
ToolT1020
Automated ExfiltrationT1007
System Service DiscoveryT1543.003
Windows ServiceT1190
Exploit Public-Facing ApplicationT1036.005
Match Legitimate Name or LocationT1569.002
Service ExecutionT1005
Data from Local SystemT1071.004
DNST1213.002
SharepointT1027
Obfuscated Files or InformationT1059
Command and Scripting InterpreterT1036.002
Right-to-Left OverrideT1560
Archive Collected DataT1069.002
Domain GroupsT1560.001
Archive via UtilityT1003.003
NTDST1057
Process DiscoveryT1003.001
LSASS MemoryT1587.001
MalwareT1071.001
Web ProtocolsT1059.003
Windows Command ShellT1078
Valid AccountsT1547.001
Registry Run Keys / Startup FolderT1049
System Network Connections DiscoveryT1056.001
KeyloggingT1003.004
LSA SecretsT1078.004
Cloud AccountsT1082
System Information Discovery