Ke3chang
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 59 attack patterns (mitre), 9 malware, 17 countries, 12 indicators, 8 tool, 1 campaign
Aliases
APT15 Mirage Vixen Panda Playful Dragon RoyalAPT NICKEL Nylon Typhoon GREF
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (59)
-
T1069.002 usesDomain Groups MITRE
-
T1533 MITRE
-
T1082 usesSystem Information Discovery MITRE
-
T1569.002 usesService Execution MITRE
-
T1422 MITRE
-
T1003.002 usesSecurity Account Manager MITRE
-
T1119 usesAutomated Collection MITRE
-
T1007 usesSystem Service Discovery MITRE
-
T1036.002 usesRight-to-Left Override MITRE
-
T1587.001 usesMalware MITRE
-
T1003.003 usesNTDS MITRE
Malware (9)
-
Neoichor usesFamily The MITRE Corporation Confidence 100
[Neoichor](https://attack.mitre.org/software/S0691) is C2 malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021)
First seen 01/01/1970 · Last seen 16/11/5138 · -
MirageFox usesFamily The MITRE Corporation Confidence 100
[MirageFox](https://attack.mitre.org/software/S0280) is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BadBazaar usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Uyghur Telegram usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GREF usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FlyGram usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
OS X usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Okrum usesFamily The MITRE Corporation Confidence 100
[Okrum](https://attack.mitre.org/software/S0439) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://attack.mitre.org/groups/G0004).(Citation: ESET Okrum July 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Android usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Countries (17)
-
Hungary targets
-
Brazil targets
-
China targets
-
Hong Kong targets
-
Yemen targets
-
Lithuania targets
-
Singapore targets
-
Germany targets
-
Congo targets
-
Portugal targets
-
Poland targets
-
Australia targets
Indicators (12)
-
stix 100/100 Revoked
xor_0x20_xord_javascript SHA256 of e368db837edf340e47e85652d6159d6e90725b0d
· Valid until 03/12/2024 · Source: AlienVault
Tool (8)
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
spwebmember usesThe MITRE Corporation Confidence 100
[spwebmember](https://attack.mitre.org/software/S0227) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)
-
netstat usesThe MITRE Corporation Confidence 100
[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
-
Systeminfo usesThe MITRE Corporation Confidence 100
[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
Campaign (1)
-
SPACEHOP Activity attributed-to