Threat Intelligence Tarot
Vol. II · 114
China
G0004
risk 4/5
The Vixen Courtier
Ke3chang
Vixen Panda · APT15 · Mirage · Royal APT · Playful Dragon · Nickel
Foreign ministriesEnergyDefenseEuropean governmentsLatin American diplomatic targets
Active since ~2010 · Diplomatic espionage, Foreign policy intelligence
The Vixen Courtier slips between chancelleries the way rumor slips between dinners — never seen entering, somehow always there when the dispatch is read aloud.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1059.003
Windows Command Shell
Execution
T1071.001
Web Protocols
Command and Control
T1027
Obfuscated Files or Information
Defense Evasion
T1056.001
Keylogging
Collection
T1090
Proxy
Command and Control
Notable Operations
  • European Ministries of Foreign Affairs intrusions (2013)
  • Mirage, Ketrican, Okrum, and RoyalDNS malware families
  • UK government service provider supply-chain compromise (2017)
  • Microsoft DCU domain seizure operation (December 2021)
Defenses
Reversed: Their Weakness
Microsoft's coordinated 42-domain takedown in late 2021 crippled this courtier's command infrastructure overnight. Coordinated civil action against C2 sprawl is its most consistent counter.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Southern TideNext →The Strait Watcher
Related Adversaries
The Southern Tide
Naikon
4 shared TTPs
The Numbered Scribe
APT12
4 shared TTPs
The Customs Officer
MoustachedBouncer
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.