Ke3chang
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 59 attack patterns (mitre), 9 malware, 17 countries, 12 indicators, 8 tool, 1 campaign
Aliases
APT15 Mirage Vixen Panda Playful Dragon RoyalAPT NICKEL Nylon Typhoon GREF
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (59)
-
T1036.005 usesMatch Legitimate Resource Name or Location MITRE
-
T1021.002 usesSMB/Windows Admin Shares MITRE
-
T1041 usesExfiltration Over C2 Channel MITRE
-
T1040 usesNetwork Sniffing MITRE
-
T1005 usesData from Local System MITRE
-
T1530 usesData from Cloud Storage MITRE
-
T1087.002 usesDomain Account MITRE
-
T1583.005 usesBotnet MITRE
-
T1090 usesProxy MITRE
-
T1588.002 usesTool MITRE
-
T1495 usesFirmware Corruption MITRE
-
T1078.004 usesCloud Accounts MITRE
Malware (9)
-
Neoichor usesFamily The MITRE Corporation Confidence 100
[Neoichor](https://attack.mitre.org/software/S0691) is C2 malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021)
First seen 01/01/1970 · Last seen 16/11/5138 · -
MirageFox uses
-
BadBazaar usesFamily
-
Uyghur Telegram usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GREF uses
-
FlyGram uses
-
OS X uses
-
Okrum uses
-
Android uses
Countries (17)
-
Hungary targets
-
Brazil targets
-
China targets
-
Hong Kong targets
-
Yemen targets
-
Lithuania targets
-
Singapore targets
-
Germany targets
-
Congo targets
-
Portugal targets
-
Poland targets
-
Australia targets
Indicators (12)
-
stix 100/100 Revoked
xor_0x20_xord_javascript SHA256 of e368db837edf340e47e85652d6159d6e90725b0d
· Valid until 03/12/2024 · Source: AlienVault
Tool (8)
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
spwebmember usesThe MITRE Corporation Confidence 100
[spwebmember](https://attack.mitre.org/software/S0227) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)
-
netstat usesThe MITRE Corporation Confidence 100
[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
-
Systeminfo usesThe MITRE Corporation Confidence 100
[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
Campaign (1)
-
SPACEHOP Activity attributed-to