Threat Intelligence Tarot
Vol. II · 113
China (PLA Chengdu Military Region, 2TRB Unit 78020)
G0019
risk 4/5
The Southern Tide
Naikon
Lotus Panda · PLA Unit 78020 · Hellsing-adjacent
South China Sea claimantsASEAN militariesDiplomatic missionsForeign ministries
Active since ~2010 · Regional military intelligence, South China Sea geopolitics
The Southern Tide rises in the disputed waters and never quite recedes. Where territorial lines move on maps drawn in Beijing, this tide laps at the foreign ministries that would draw them differently.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1059.003
Windows Command Shell
Execution
T1547.001
Registry Run Keys
Persistence
T1027
Obfuscated Files or Information
Defense Evasion
T1056.001
Keylogging
Collection
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
  • South China Sea regional dispute intelligence gathering
  • RainyDay backdoor against Southeast Asian governments
  • Aria-body loader campaigns (Check Point disclosure 2020)
  • MsnMM and Sys10 malware family deployments
Defenses
  • Regional CERT information sharing for ASEAN-aligned governments
    NIST CSF: RS.CO
  • Diplomatic email systems with phishing-resistant MFA
    NIST SP 800-63B
  • Endpoint detection for keylogger and RAT behavioral indicators
    MITRE D3FEND
  • Outbound traffic baselining for ministry networks
    NIST CSF: DE.CM
Reversed: Their Weakness
Coordinated ASEAN cyber defense sharing erodes Naikon's reach into individual ministries. The collective is harder to drown than the singular.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Decade PatientNext →The Vixen Courtier
Related Adversaries
The Desert Hawk
Stealth Falcon
4 shared TTPs
The USB Serpent
Aoqin Dragon
4 shared TTPs
The Vixen Courtier
Ke3chang
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.