The Hidden Lynx: APT17

Threat Intelligence Tarot

Vol. II · 109

China

G0025

★★★★★

risk 4/5

✦ The Hidden Lynx ✦

APT17

Aurora Panda · Deputy Dog · Hidden Lynx · Tailgater Team

DefenseTechnologyFinanceGovernmentSecurity industry

Active since ~2009 · Espionage, Intellectual property theft, Contract cyber operations

The Hidden Lynx hunts upstream. It does not breach the fortress — it poisons the road, the well, the seller of swords. By the time the defenders meet it, they are already drinking from its cup.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1189

Drive-by Compromise

Initial Access

T1203

Exploitation for Client Execution

Execution

T1071.001

Web Protocols

Command and Control

T1027

Obfuscated Files or Information

Defense Evasion

T1078

Valid Accounts

Persistence

T1105

Ingress Tool Transfer

Command and Control

Notable Operations

◆Operation Aurora (2010, jointly attributed)
◆DeputyDog campaign (2013)
◆Bit9 trust certificate breach (2013)
◆9002 RAT and Naid backdoor deployments

Defenses

▸
Code-signing certificate protection with HSM and air-gapped keys
NIST SP 800-57 ↗
▸
Browser hardening and isolation for high-risk users
CIS Control 9 ↗
▸
Watering-hole detection via web filtering and URL reputation
NIST CSF: DE.CM ↗
▸
Supply chain risk management for security vendors and signed binaries
NIST CSF: ID.SC ↗

Reversed: Their Weakness

The Bit9 breach exposed APT17's pattern: compromise the security vendor, sign the malware, walk through the front door. Once defenders treat security tooling as a high-trust target, that elegance evaporates.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Numbered Scribe Next →The Counting House

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.