Cinnamon Tempest
Aliases: DEV-0401, Emperor Dragonfly, BRONZE STARLIGHT
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.
Open interactive actor investigation
ATT&CK techniques
T1047
Windows Management InstrumentationT1574.001
DLL Search Order HijackingT1105
Ingress Tool TransferT1484.001
Group Policy ModificationT1567.002
Exfiltration to Cloud StorageT1588.002
ToolT1078
Valid AccountsT1657
Financial TheftT1090
ProxyT1078.002
Domain AccountsT1190
Exploit Public-Facing ApplicationT1059.006
PythonT1140
Deobfuscate/Decode Files or InformationT1021.002
SMB/Windows Admin SharesT1572
Protocol TunnelingT1080
Taint Shared ContentT1543.003
Windows ServiceT1574.002
DLL Side-LoadingT1059.001
PowerShellT1059.003
Windows Command Shell
Windows Management InstrumentationT1574.001
DLL Search Order HijackingT1105
Ingress Tool TransferT1484.001
Group Policy ModificationT1567.002
Exfiltration to Cloud StorageT1588.002
ToolT1078
Valid AccountsT1657
Financial TheftT1090
ProxyT1078.002
Domain AccountsT1190
Exploit Public-Facing ApplicationT1059.006
PythonT1140
Deobfuscate/Decode Files or InformationT1021.002
SMB/Windows Admin SharesT1572
Protocol TunnelingT1080
Taint Shared ContentT1543.003
Windows ServiceT1574.002
DLL Side-LoadingT1059.001
PowerShellT1059.003
Windows Command Shell