{
  "name": "New APT-Q-27 sample spotted",
  "slug": "new-apt-q-27-sample-spotted",
  "description": "A new campaign has been identified utilizing a valid digital signature from a Chinese technology company that remains unrevoked. The attack chain employs a dropper that retrieves an extension-based module list from command and control infrastructure. The malicious payloads exploit DLL Side-Loading techniques through a legitimate Tencent-signed executable to achieve code execution. The infrastructure includes Google Cloud Storage and a dedicated domain for command and control operations. Multiple components have been identified including an EXE dropper, DLL loader, DAT payload, and the legitimate Tencent executable used for side-loading purposes.",
  "published": "2026-06-17T08:46:02.049000+00:00",
  "created_at": "2026-06-17T09:20:59.300000+00:00",
  "modified_at": "2026-06-17T07:20:59+00:00",
  "created_at_opencti": "2026-06-17T09:20:59.300000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "apt-q-27",
    "chinese threat actor",
    "digital signature abuse",
    "dll side-loading",
    "dropper",
    "tencent"
  ],
  "tags": [
    "2026-06-17",
    "apt-q-27",
    "chinese threat actor",
    "digital signature abuse",
    "dll side-loading",
    "dropper",
    "tencent"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "04c25fd9-5fce-47cf-880d-5d5798099d1a",
        "name": "http://api.keensie.com:5198/"
      },
      {
        "id": "04b86c0a-85f2-470b-a06b-f34e23791988",
        "name": "api.keensie.com"
      }
    ],
    "intrusion_sets": [
      {
        "id": "7b52c667-8613-451d-b5b6-f33dd2201729",
        "name": "APT-Q-27",
        "slug": "apt-q-27"
      }
    ],
    "attack_patterns": [
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      }
    ],
    "observables": [
      {
        "id": "cda28e1a-8b52-4b2e-8299-9dd8d0c2be95",
        "name": "api.keensie.com"
      },
      {
        "id": "47755a42-87be-4960-8a37-4205eaf602a7",
        "name": "http://api.keensie.com:5198/"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "api.keensie.com"
      }
    ]
  },
  "external_refs": [
    {
      "id": "56436422-d77f-424a-94d7-d6e3cf1560dc",
      "standard_id": "external-reference--91bb6f71-9849-59f4-9fb1-b329c23c6e34",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a325eca53b232c21f5b84ff",
      "hash": null,
      "external_id": "6a325eca53b232c21f5b84ff",
      "created": "2026-06-17T09:20:56.658Z",
      "modified": "2026-06-17T09:20:56.658Z",
      "createdById": null
    },
    {
      "id": "13efa8cb-d396-4276-a66d-079641c420b4",
      "standard_id": "external-reference--cd8409bd-b7c6-552e-b2f1-74c0f506b04f",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://x.com/askardyuss/status/2066859258130665974",
      "hash": null,
      "external_id": null,
      "created": "2026-06-17T09:20:56.686Z",
      "modified": "2026-06-17T09:20:56.686Z",
      "createdById": null
    }
  ]
}