Comment Crew, also known by its alias APT1, is a notorious state-sponsored cyber threat group from China. Originally linked to Unit 61398, a military unit under the PLA’s intelligence arm, this advanced persistent threat group has left behind a deep footprint in cyber espionage history.
Operating primarily between 2006 and 2010, APT1 was responsible for over 140 confirmed intrusions into major U.S. and international companies, with a clear focus on extracting sensitive corporate and intellectual property.
APT1’s reputation stems not only from its massive scope of operations but also from its pioneering use of stealthy communication techniques, most infamously, hiding commands within HTML comments, a method that gave the group its name.
Despite years of inactivity, recent threat patterns indicate that the tactics and techniques associated with Comment Crew may still be active today. The group’s various identities share common operational signatures and multiple aliases, including APT1, BrownFox, Byzantine Candor, Comment Panda, GIF89a, Shanghai Group, and TG-8223 know it.
Geographic Origins & Target Scope
Originating from the People’s Republic of China, APT1 has engaged in widespread international targeting across North America, Europe, Asia-Pacific, the Middle East, and parts of Africa. Countries impacted include the United States, Canada, Belgium, France, the UK, Norway, Switzerland, Luxembourg, Japan, South Korea, Taiwan, Singapore, India, Vietnam, Israel, the UAE, and South Africa.
Their operations have focused on high-value industries vital to national security and economic stability, including defense and aerospace, banking and finance, government and law enforcement, energy, healthcare, education, IT and telecommunications, manufacturing, mining, construction, media, food, agriculture, and logistics. While many believed that Comment Crew had disbanded or that its operatives had been incarcerated, the emergence of attacks resembling its hallmark tactics has reignited interest in the group.
Infection Vectors & Methods
APT1 has traditionally favored spear-phishing emails as a primary point of entry. These highly targeted messages often contain infected attachments disguised as legitimate business documents. Once opened, these attachments install malware capable of:
- System reconnaissance
- Credential dumping
- Command execution
- Lateral movement within the network
They have also used fake phone numbers and social engineering tricks to build trust with targets or convince them to take further action. After gaining initial access, attackers frequently use scripting tools and command-line interfaces, such as:
- PowerShell
- Unix shells
- Python
- JavaScript
These tools allow them to download payloads, execute system commands, and manage compromised devices remotely.
Evasion and Persistence Techniques
APT1 is adept at masquerading, often hiding its malicious code by:
- Renaming malware to mimic trusted system files
- Disguising traffic through VPNs, proxies, or cloud services
- Exploiting saved credentials, session tokens, and password hashes
They are particularly known for using “pass-the-hash” attacks, where stolen credentials are reused to move through a network without needing actual passwords.
Discovery and Reconnaissance
Once inside a target environment, the group conducts extensive internal mapping of the infrastructure:
- Identifying running services, user accounts, shared folders, and network topology
- Surveying security tools in place
- Pinpointing high-value systems for privilege escalation or data theft
This strategic approach allows them to prioritize lateral movement and long-term persistence.
Arsenal of Malware
APT1’s toolkit spans at least 39 known malware families, ranging from backdoors and droppers to reconnaissance tools and data exfiltration utilities. Some prominent examples include:
- Credential Theft Tools: Mimikatz, pwdump, Cachedump, ProcDump, Pass-the-Hash Toolkit
- Backdoors & Remote Access: Auriga, BISCUIT, Kurton, Helauto, MiniASP, Sword, ShadyRAT, StarsyPound
- Exfiltration and Info Stealers: GDOCUPLOAD, GetMail, MAPIget
- Reconnaissance & Discovery: Oceansalt, GREENCAT, WARP, Hackfase, Dairy
- Droppers & Downloaders: GLASSES, GOGGLES, LIGHTDART, ManItsMe
Conclusion
Though Comment Crew (APT1) may have gone underground, its tactics live on in modern Chinese cyber operations, continuing to threaten critical sectors like defense, tech, and manufacturing. These threats may evolve in name but remain focused on infiltration and data theft.
To stay protected, organizations need proactive, intelligence-led defense. Cyble offers a unified platform combining real-time threat monitoring, vulnerability management, and AI-driven insights to detect, disrupt, and defend against advanced threats.
Schedule a free demo and partner with Cyble today!
Defense and Mitigation Strategies
To defend against advanced groups like Comment Crew:
- Harden Email Security: Train staff to spot phishing and implement advanced spam filters.
- Limit Credential Exposure: Disable unnecessary admin accounts and enforce least privilege.
- Patch Systems Promptly: Close known exploits across OS and third-party apps.
- Monitor Behavior: Use EDR tools to detect abnormal scripting, credential dumps, and lateral movement.
- Use Multi-Factor Authentication: Prevent unauthorized access using MFA across endpoints and VPNs.
- Hunt for Persistence: Regularly audit services, registry keys, and scheduled tasks for anomalies.
- Isolate and Monitor High-Risk Devices: Especially those in R&D, finance, or with privileged access.
MITRE ATT&CK Techniques Associated with Comment Crew
- Masquerading (T1036): Altering file names, metadata, or paths, renaming system utilities, or using proxies/VPNs helps attackers appear legitimate and evade detection by both users and automated defenses.
- Use Alternate Authentication Material (T1550): Stealing or using password hashes, Kerberos tickets, or access tokens allows attackers to bypass standard authentication and move laterally. Data is often stored in memory or on disk and obtained through credential dumping.
- OS Credential Dumping (T1003): Extracting stored credentials (plaintext or hashed) from systems enables lateral movement and access to restricted data, often using tools like Mimikatz, gsecdump, and others.
- System Service Discovery (T1007): Gathering information about local services using commands like sc query, tasklist /svc, or systemctl helps adversaries assess the infection scope and plan their next steps.
- System Network Configuration Discovery (T1016): Identifying network settings such as IP/MAC addresses and routes using tools like ipconfig, ifconfig, arp, nbtstat, and route helps adversaries understand the network and shape their attack path.
- System Network Connections Discovery (T1049): Querying current network connections to and from compromised systems reveals network behavior, potential pivot points, and access targets.
