The Emissary: APT27

Threat Intelligence Tarot

Vol. II · 111

China (MSS Hubei State Security Department)

G0027

★★★★★

risk 4/5

✦ The Emissary ✦

APT27

Emissary Panda · Bronze Union · LuckyMouse · Iron Tiger · TG-3390

AerospaceDefenseGovernmentTechnologyThink tanksHong Kong

Active since ~2010 · Espionage, Industrial intelligence, Diplomatic surveillance

The Emissary arrives with credentials older than the system administrator's tenure. It does not request access — it demonstrates that access was always its by right of who it serves.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1190

Exploit Public-Facing Application

Initial Access

T1505.003

Web Shell

Persistence

T1071.001

Web Protocols

Command and Control

T1027

Obfuscated Files or Information

Defense Evasion

T1003.001

LSASS Memory

Credential Access

T1078

Valid Accounts

Persistence

Notable Operations

◆HyperBro and SysUpdate backdoor campaigns
◆ZxShell remote administration tool deployments
◆Targeting of Hong Kong universities and political organizations (2019-2020)
◆ICAO compromise via supply-chain pivot (2016)

Defenses

▸
Continuous web shell scanning of internet-facing servers
NIST CSF: DE.CM ↗
▸
Egress proxy with full TLS inspection and DNS filtering
CIS Control 12 ↗
▸
Credential Guard and LSASS protection on Windows endpoints
CIS Control 5 ↗
▸
Externally-facing application patching SLAs of 14 days or less
CIS Control 7 ↗

Reversed: Their Weakness

Web-shell hygiene and outbound proxy filtering close the doors this emissary prefers. Without long-lived footholds in middleware, its patience earns nothing.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Counting House Next →The Decade Patient

Related Adversaries

The Tower of Sparrows

The Throne of Drivers

GhostEmperor

4 shared TTPs

★★★★★

Data sourced from MITRE ATT&CK. For educational purposes.