Trending

ee-track">
Link copied!

Table of Contents

APT 20 Threat Actor | Cyble

Threat Actor Profile: APT 20

APT 20, a highly capable cyber threat actor linked to China, has gained a notorious reputation for its use of strategic web compromises—commonly known as watering hole attacks. By compromising websites frequently visited by their intended victims, the group quietly installs malware and gathers valuable intelligence. Unlike more overt attacks, APT 20 prioritizes stealth and precision, making it a particularly dangerous actor in the global cyber-espionage ecosystem. 

Attributed to the Asia-Pacific (APAC) region, specifically China, APT 20, also known as Crawling Taurus, TH3Bug, VIOLIN PANDA, has been active across multiple continents. Their cyber operations have affected targets in Brazil, China, Germany, Spain, France, the UK, Italy, Mexico, Portugal, Thailand, and the United States, showing a broad geopolitical interest. The group reportedly has affiliations with other Chinese threat groups like Axiom (also known as Group 72). 

image 38
Cyble Vision Threat Library (Source: Cyble Vision)    

APT 20’s approach deviates from conventional phishing methods by exploiting trust in legitimate digital environments. Their tactics have successfully infiltrated sensitive networks via websites frequented by targeted communities, including but not limited to ethnic minority portals. 

APT 20’s diverse range of targets across industries indicates a clear focus on intelligence gathering over financial gain. The group has been linked to cyber operations against sectors such as aerospace and defense, banking and financial services, healthcare, pharmaceuticals, technology, telecommunications, energy, utilities, education, construction, government, law enforcement, and transportation.  

Infiltration and Evading Detection 

APT 20 employs a range of tactics to gain access to systems, evade detection, collect sensitive information, and exfiltrate it securely. One of their primary methods of entry is through drive-by compromises, where malicious code is embedded into legitimate websites. Unsuspecting users visiting these sites are tricked into downloading malware, often targeting specific industries or communities of interest. 

To bypass security defenses, APT 20 takes advantage of built-in features in operating systems that allow them to escalate privileges and gain administrative control. They are known to sidestep user account controls and manipulate system authentication processes, allowing them to access systems without needing valid credentials. In some cases, they tamper with multi-factor authentication systems, disabling them or exploiting misconfigurations to bypass security protocols. 

Once inside a network, the group conducts extensive searches of local files and directories to locate valuable data. This information is then gathered and moved to temporary storage areas within the system to prepare it for extraction. For exfiltration, APT 20 uses encrypted communication channels, blending malicious traffic with normal network activity to avoid detection and ensure the secure transmission of stolen data

Custom and Repurposed Malware Arsenal 

image 36
Malware Families Used by the APT 20 Threat Actor (Source: Cyble Vision)

APT 20 is known to deploy a suite of well-known and effective malware families. These tools are typically open-source or dual-use, originally developed for penetration testing but co-opted for malicious purposes. 

Reconnaissance Tools 

  • BloodHound & SharpHound: Used for mapping Active Directory (AD) environments. These tools help uncover hidden privileges, group memberships, and attack paths within enterprise networks. 

Credential Theft Tools 

  • KeeThief: Extracts encryption keys from KeePass databases. 
  • Kerberoast: Targets weak service account passwords in Kerberos environments. 
  • Mimikatz: Extracts plaintext credentials and Kerberos tickets from Windows systems. 
  • ProcDump: Normally a diagnostics tool, it’s repurposed to dump memory from credential-rich processes. 

Remote Command Execution 

  • PsExec & SMBExec: Utilities for executing commands across networks, enabling lateral movement while evading detection. 

Compression for Exfiltration 

  • WinRAR: Legitimate compression software leveraged to archive stolen data. The group has been observed exploiting known vulnerabilities to run arbitrary code through malicious archive files. 

Remote Access Trojans (RATs) 

  • Poison Ivy: A well-known RAT offering full remote control of compromised systems. 

Shared Tactics Across Threat Ecosystem 

APT 20’s tactics and toolsets overlap with numerous other state-linked groups. These include APT29, FIN11, Chimera, Lazarus Group, Mustang Panda, Operation Wocao, and many others. This convergence of methodology indicates a shared toolbox or playbook among advanced threat actors, possibly sourced from underground forums or developed through state-sponsored collaboration. 

The targeting of politically sensitive groups and high-value industries suggests APT 20 is not a financially motivated cybercrime operation. Instead, their behavior aligns with long-term cyber-espionage campaigns aimed at geopolitical surveillance, intellectual property theft, and strategic disruption. 

Conclusion 

APT 20 is a stealthy and persistent cyber threat, targeting a wide range of industries through advanced techniques like watering hole attacks and credential theft. Their tactics, ideologies, and unwavering commitment to cyber-espionage highlight the need for proactive, intelligence-led cybersecurity

Cyble’s AI-powered threat intelligence platforms—like Cyble Vision and Cyble Titan—equip organizations with real-time insights, dark web monitoring, and advanced attack surface management. By leveraging Cyble’s threat intelligence solutions, businesses can detect threats early, reduce exposure, and stay protected from hacking collectives like APT 20.

Request a FREE DEMO today! 

Mitigations and Recommendations 

Due to APT 20’s advanced methods and ability to operate under the radar, traditional security measures alone are rarely effective. As a result, organizations should consider the following proactive steps: 

  • Utilize EDR solutions capable of identifying and blocking sophisticated threats at the endpoint level. 
  • Lock down browser settings to minimize exploitation risks and implement strict web content filtering to block access to malicious or compromised sites used in watering hole attacks. 
  • Regularly update all software and systems, especially those exposed to the internet, to eliminate known vulnerabilities that can be exploited for initial access. 
  • Regularly assess your Active Directory environment to identify misconfigurations, over-permissioned accounts, and potential paths for privilege escalation. 
  • Keep a close watch on the use of command-line and remote execution tools. Abnormal or unauthorized use may indicate internal reconnaissance or lateral movement by attackers. 
  • Integrate Cyble’s advanced threat intelligence platforms, like Cyble Vision, to gain real-time visibility into threat actor tactics, exposed assets, and external risks.  

MITRE Attack Techniques Associated with APT 20 

image 37
MITRE ATT&CK (Source: Cyble Vision)
  • Drive-by Compromise (T1189): Adversaries gain access when users visit compromised or malicious websites. 
  • Abuse Elevation Control Mechanism (T1548): Exploits native OS privilege elevation controls to gain higher permissions. 
  • Bypass User Account Control (UAC) (T1548.002): Bypass Windows UAC to elevate privileges without user prompts. 
  • Modify Authentication Process (T1556): Alter authentication mechanisms (LSASS, SAM, PAM, MacOS plugins) and used to bypass access controls and maintain persistence on systems and services (VPN, RDP, web access). 
  • Multi-Factor Authentication (MFA) Modification (T1556.006): Disable or alter MFA to maintain long-term access. 
  • Data from Local System (T1005): Search local files, databases, and configs for sensitive data. 
  • Data Staged (T1074): Consolidate data in a central location before exfiltration. 
  • Exfiltration Over C2 Channel (T1041): Send stolen data via existing command and control communication channels. 
Discover how we help proactively defend against evolving threats with Gen 3 intelligence. Request a Demo today!

Share Post:

Subscribe to Cyble

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Related Topics

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams