Threat Group-3390
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 84 attack patterns (mitre), 21 malware, 12 sectors, 5 countries, 39 indicators, 5 vulnerabilities (cve), 12 tool
Aliases
Earth Smilodon TG-3390 Emissary Panda BRONZE UNION Iron Tiger APT27 Linen Typhoon LuckyMouse
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Nccgroup Emissary Panda May 2018
- Gallagher 2015
- Securelist LuckyMouse June 2018
- Trend Micro Iron Tiger April 2021
- Trend Micro DRBControl February 2020
- mitre-attack (G0027)
- Hacker News LuckyMouse June 2018
- Dell TG-3390
- Microsoft Naming Conventions Frequently Updated
- SecureWorks BRONZE UNION June 2017
- Unit42 Emissary Panda May 2019
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
1 CVE 4 MITREs 1 Malware 20 Observables 1 APT
Attack patterns (MITRE) (84)
-
T1083 usesFile and Directory Discovery MITRE
-
T1003.001 usesLSASS Memory MITRE
-
T1070 usesIndicator Removal MITRE
-
T1547 usesBoot or Logon Autostart Execution MITRE
-
T1074.001 usesLocal Data Staging MITRE
-
T1199 usesTrusted Relationship MITRE
-
T1588.002 usesTool MITRE
-
T1074.002 usesRemote Data Staging MITRE
-
T1112 usesModify Registry MITRE
-
T1070.004 usesFile Deletion MITRE
-
T1027.002 usesSoftware Packing MITRE
-
T1078 usesValid Accounts MITRE
Malware (21)
-
Family
-
TrojanSpy usesFamily
-
AntSword usesFamily
-
HTTPBrowser uses
-
ValleyRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HyperBro uses
-
Clambling uses
-
Redline usesFamily
-
China Chopper usesFamily
-
MSIL/Webshell.JS usesFamily
-
ASPXSpy usesFamily
-
SysUpdate uses
Sectors (12)
-
Manufacturing targets
-
Telecommunications targets
-
Government targets
-
Aerospace targets
-
Energy targets
-
Banking institutions targets
-
Retail targets
-
Entertainment industry targets
-
Construction targets
-
Healthcare targets
-
Media targets
-
Defense targets
Countries (5)
-
Philippines targets
-
Germany targets
-
Taiwan targets
-
China targets
-
France targets
Indicators (39)
-
stix 100/100 Revoked· Valid until 03/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/06/2024 · Source: AlienVault
Vulnerabilities (CVE) (5)
Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …
- Attack vector
- Network
- Published
- 22/07/2025
- Modified
- 21/12/2025
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …
- Attack vector
- NETWORK
- Published
- 21/07/2025
- Modified
- 21/12/2025
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …
- Attack vector
- Network
- Published
- 20/07/2025
- Modified
- 21/12/2025
Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …
- Attack vector
- Network
- Published
- 22/07/2025
- Modified
- 21/12/2025
Tool (12)
-
certutil usesThe MITRE Corporation Confidence 100
[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
The MITRE Corporation Confidence 100
[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)
-
Systeminfo usesThe MITRE Corporation Confidence 100
[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
Impacket usesThe MITRE Corporation Confidence 100
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
-
gsecdump usesThe MITRE Corporation Confidence 100
[gsecdump](https://attack.mitre.org/software/S0008) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)
-
NBTscan usesThe MITRE Corporation Confidence 100
[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
netstat usesThe MITRE Corporation Confidence 100
[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
-
pwdump usesThe MITRE Corporation Confidence 100
[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)