menuPass
Aliases: Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH, BRONZE RIVERSIDE
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company. menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.
Open interactive actor investigation
ATT&CK techniques
T1018
Remote System DiscoveryT1047
Windows Management InstrumentationT1036
MasqueradingT1070.004
File DeletionT1046
Network Service DiscoveryT1049
System Network Connections DiscoveryT1560.001
Archive via UtilityT1566.001
Spearphishing AttachmentT1105
Ingress Tool TransferT1588.002
ToolT1204.002
Malicious FileT1090.002
External ProxyT1078
Valid AccountsT1016
System Network Configuration DiscoveryT1568.001
Fast Flux DNST1036.003
Rename System UtilitiesT1056.001
KeyloggingT1087.002
Domain AccountT1003.003
NTDST1218.004
InstallUtilT1106
Native APIT1003.002
Security Account ManagerT1027.013
Encrypted/Encoded FileT1199
Trusted RelationshipT1190
Exploit Public-Facing ApplicationT1074.002
Remote Data StagingT1070.003
Clear Command HistoryT1140
Deobfuscate/Decode Files or InformationT1553.002
Code SigningT1053.005
Scheduled TaskT1055.012
Process HollowingT1074.001
Local Data StagingT1021.001
Remote Desktop ProtocolT1039
Data from Network Shared DriveT1003.004
LSA SecretsT1083
File and Directory DiscoveryT1036.005
Match Legitimate Name or LocationT1574.002
DLL Side-LoadingT1560
Archive Collected DataT1059.003
Windows Command ShellT1005
Data from Local SystemT1059.001
PowerShellT1210
Exploitation of Remote ServicesT1021.004
SSHT1119
Automated CollectionT1583.001
DomainsT1574.001
DLL Search Order Hijacking
Remote System DiscoveryT1047
Windows Management InstrumentationT1036
MasqueradingT1070.004
File DeletionT1046
Network Service DiscoveryT1049
System Network Connections DiscoveryT1560.001
Archive via UtilityT1566.001
Spearphishing AttachmentT1105
Ingress Tool TransferT1588.002
ToolT1204.002
Malicious FileT1090.002
External ProxyT1078
Valid AccountsT1016
System Network Configuration DiscoveryT1568.001
Fast Flux DNST1036.003
Rename System UtilitiesT1056.001
KeyloggingT1087.002
Domain AccountT1003.003
NTDST1218.004
InstallUtilT1106
Native APIT1003.002
Security Account ManagerT1027.013
Encrypted/Encoded FileT1199
Trusted RelationshipT1190
Exploit Public-Facing ApplicationT1074.002
Remote Data StagingT1070.003
Clear Command HistoryT1140
Deobfuscate/Decode Files or InformationT1553.002
Code SigningT1053.005
Scheduled TaskT1055.012
Process HollowingT1074.001
Local Data StagingT1021.001
Remote Desktop ProtocolT1039
Data from Network Shared DriveT1003.004
LSA SecretsT1083
File and Directory DiscoveryT1036.005
Match Legitimate Name or LocationT1574.002
DLL Side-LoadingT1560
Archive Collected DataT1059.003
Windows Command ShellT1005
Data from Local SystemT1059.001
PowerShellT1210
Exploitation of Remote ServicesT1021.004
SSHT1119
Automated CollectionT1583.001
DomainsT1574.001
DLL Search Order Hijacking