Threat Intelligence Tarot
Vol. II · 85
China (PLA-affiliated, Taiwan operations)
G0098
risk 3/5
The Circuit Phantom
BlackTech
Palmerworm · TEMP.Overboard · Circuit Panda
TechnologyGovernmentDefenseElectronicsTaiwanJapanUS subsidiaries
Active since ~2010 · Espionage, Intellectual property theft
The Circuit Phantom does not force doors open but instead becomes the door itself, embedding within routers and firmware until the network is indistinguishable from its presence. It is the infrastructure.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1059.003
Windows Command Shell
Execution
T1027
Obfuscated Files or Information
Defense Evasion
T1547.001
Registry Run Keys / Startup Folder
Persistence
T1105
Ingress Tool Transfer
Command and Control
T1021.001
Remote Desktop Protocol
Lateral Movement
T1195.003
Compromise Hardware Supply Chain
Initial Access
T1083
File and Directory Discovery
Discovery
Notable Operations
  • Router firmware backdoor campaign (NSA/CISA advisory 2023)
  • Targeting of US company subsidiaries via Japan offices
  • Taiwan semiconductor firm intrusions
  • Long-term persistent access operations spanning years
Defenses
Reversed: Their Weakness
Its firmware implants require physical hardware replacement to fully remediate. Network defenders who monitor router configuration integrity and enforce firmware signing eliminate its most persistent foothold.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Sunken DragonNext →The Dusty Archivist
Related Adversaries
The Lotus Watcher
APT32
4 shared TTPs
The Obsidian Hammer
Onyx Sleet
3 shared TTPs
The Dusty Archivist
Earth Lusca
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.