Threat Intelligence Tarot
Vol. II · 116
China (PLA Northeastern Theater Command, suspected)
G0131
risk 3/5
The Heartbeat
Tonto Team
Karma Panda · Earth Akhlut · CactusPete · HeartBeat
RussiaMongoliaJapanSouth KoreaTaiwanDefense ministries
Active since ~2009 · Regional military intelligence, Diplomatic espionage
The Heartbeat moves on a long, slow rhythm — one campaign per quarter, one breach per year, all tuned to the pulse of regional defense procurement. It does not raise its voice, and so the alarm rarely rises with it.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1203
Exploitation for Client Execution
Execution
T1059.005
Visual Basic
Execution
T1547.001
Registry Run Keys
Persistence
T1071.001
Web Protocols
Command and Control
T1027
Obfuscated Files or Information
Defense Evasion
Notable Operations
  • Bisonal RAT campaigns spanning over a decade
  • ProxyLogon Exchange exploitation against Eastern European targets (2021)
  • Targeting of Mongolian and Russian government and military
  • Trend Micro Earth Akhlut attribution report (2020)
Defenses
  • Long-tail malware family hunts including Bisonal IOC packages
    MITRE D3FEND
  • Macro execution policy with notification and blocking
    CIS Control 9
  • Exchange server patch SLAs with virtual patching where applicable
    CIS Control 7
  • Defense ministry SOC sharing across Northeast Asian allied nations
    NIST CSF: RS.CO
Reversed: Their Weakness
Reuse of Bisonal across a decade is both signature and weakness: defenders that hunted Bisonal in 2014 can hunt the 2024 variant with familiar signatures.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Strait WatcherNext →The Tower of Sparrows
Related Adversaries
The Cloud Atlas
Inception
5 shared TTPs
The Quiet Hand
WIRTE
5 shared TTPs
The Strait Watcher
Tropic Trooper
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.