The Vanished Hand: APT3

Threat Intelligence Tarot

Vol. II · 107

China (MSS Boyusec contractor)

G0022

★★★★★

risk 4/5

✦ The Vanished Hand ✦

APT3

Buckeye · UPS Team · Gothic Panda · TG-0110

DefenseTelecommunicationsHong Kong dissidentsUS technology firms

Active since ~2010 · Espionage, Capability acquisition

The Vanished Hand collected exploits the way royal physicians once collected venoms — quietly, methodically, with full state backing. When attribution closed in, the operators dissolved into the MSS structure they had always served.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1190

Exploit Public-Facing Application

Initial Access

T1203

Exploitation for Client Execution

Execution

T1059.001

PowerShell

Execution

T1078

Valid Accounts

Persistence

T1027

Obfuscated Files or Information

Defense Evasion

T1041

Exfiltration Over C2 Channel

Exfiltration

Notable Operations

◆Operation Clandestine Wolf (Internet Explorer 0-day, 2015)
◆Boyusec / Wu Yingzhuo / Dong Hao DOJ indictment (2017)
◆Hong Kong pro-democracy targeting
◆Repurposed NSA EternalSynergy exploit (2016-2017)

Defenses

▸
Patch management with priority for browser and document handlers
CIS Control 7 ↗
▸
Application allowlisting on workstations
CIS Control 2 ↗
▸
Threat intelligence integration tracking nation-state contractor TTPs
NIST CSF: DE.AE ↗
▸
Phishing-resistant MFA on remote access
NIST SP 800-63B ↗

Reversed: Their Weakness

Operations security failures gave investigators the seams: shared infrastructure, reused exploits, and a single criminal front company linking everything to MSS Guangzhou. The 2017 DOJ indictment was their final public exposure.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Unmasked Next →The Numbered Scribe

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.