What country is Velvet Ant from?

Velvet Ant is attributed to China. Also known as: None publicly documented.

Velvet Ant - MITRE G1047 Threat Profile | Skuggaheimar

Chinese group maintaining years-long persistence in F5 BIG-IP and other network appliances, demonstrating exceptional operational stealth. This profile is mapped to MITRE ATT&CK G1047 and covers attribution, tooling, targeting, and defensive recommendations based on observed campaigns.

Overview & Attribution

Velvet Ant (also tracked as None publicly documented) is a threat group attributed to China. The group primarily targets Large organizations, network devices for intelligence collection and operational objectives aligned with state interests.

MITRE ATT&CK Reference

This group is tracked as G1047 in the MITRE ATT&CK framework. All techniques referenced in this report are mapped to ATT&CK for consistent threat modeling and detection engineering.

Arsenal & Tools

Known tools and malware associated with Velvet Ant include:

PlugX
custom implants for network devices

Targeting & Operations

Velvet Ant operations focus on Large organizations, network devices. The group typically gains initial access through spear-phishing, exploitation of public-facing applications, or strategic web compromises before deploying custom implants for persistent access and data exfiltration.

Targeting Advisory

Organizations in the Large organizations sector should treat Velvet Ant as a relevant threat and validate their detection coverage against the MITRE ATT&CK techniques listed below.

MITRE ATT&CK Mapping

Key techniques observed in Velvet Ant operations:

Technique ID	Technique Name	Tactical Context
T1190	T1190	Observed in Velvet Ant campaigns
T1059.001	T1059.001	Observed in Velvet Ant campaigns
T1027	T1027	Observed in Velvet Ant campaigns
T1078	T1078	Observed in Velvet Ant campaigns

Full ATT&CK mapping: https://attack.mitre.org/groups/G1047/

Notable Campaigns

This threat group has been active in operations targeting Large organizations, network devices. Security researchers have documented campaigns involving PlugX and other tools deployed against organizations in multiple countries. Attribution confidence varies by campaign, but consistent infrastructure and TTP overlap links activity to China-nexus operations.

Detection & Defense

Recommended defensive measures against Velvet Ant:

Network monitoring: Detect C2 beaconing patterns associated with PlugX and related implants
Endpoint detection: Deploy behavioral rules for the ATT&CK techniques above, particularly T1190 and T1059.001
Email security: Implement robust phishing defenses including URL sandboxing and attachment detonation
Patch management: Prioritize patching of internet-facing applications exploited by this group
Threat hunting: Proactively hunt for IOCs and behavioral indicators mapped to G1047 in MITRE ATT&CK

How Mjolnir Security Can Help

Defend Against Velvet Ant

Mjolnir Security provides tailored threat intelligence, detection engineering, and incident response services to help organizations defend against China-nexus threat actors.

Threat Intelligence Detection Engineering Incident Response Red Team Assessment Threat Hunting

Contact us: mjolnirsecurity.com

Written by: Mjolnir Security  |  Published: January 04, 2026

Overview & Attribution

Arsenal & Tools

Targeting & Operations

MITRE ATT&CK Mapping

Notable Campaigns

Detection & Defense

How Mjolnir Security Can Help

Defend Against Velvet Ant

All APT Group Profiles

Full Threat Intelligence Catalog