The Patient Colony: Velvet Ant

Threat Intelligence Tarot

Vol. II · 122

China-aligned

★★★★★

risk 4/5

✦ The Patient Colony ✦

Velvet Ant

Sygnia tracked cluster

Large enterprisesNetwork appliancesAsia-Pacific organizations

Active since ~2021 · Long-dwell espionage, Strategic positioning

The Patient Colony lives in the equipment closet, where alerts do not go and patches rarely arrive. Its scouts spend years rebuilding the same trails across the same forgotten boxes.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1190

Exploit Public-Facing Application

Initial Access

T1078

Valid Accounts

Persistence

T1027

Obfuscated Files or Information

Defense Evasion

T1090

Proxy

Command and Control

T1078.004

Cloud Accounts

Defense Evasion

Notable Operations

◆Three-year stealth intrusion of large Asian enterprise (Sygnia 2024 disclosure)
◆F5 BIG-IP exploitation including CVE-2022-1388
◆Cisco Nexus 0-day exploitation (CVE-2024-20399)
◆Persistence on end-of-life and legacy network appliances

Defenses

▸
Network appliance lifecycle management with mandatory EOL replacement
NIST CSF: ID.AM ↗
▸
Edge device firmware integrity monitoring
NIST CSF: PR.DS ↗
▸
Out-of-band management network isolation for network gear
CIS Control 12 ↗
▸
Continuous external attack surface scanning of edge devices
NIST CSF: DE.CM ↗

Reversed: Their Weakness

Lifecycle management — retiring unsupported network appliances and continuously inventorying internet-facing edge devices — strips this colony of its preferred ground.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe USB Serpent Next →The Many-Headed Whisper

Related Adversaries

The Throne of Drivers

GhostEmperor

4 shared TTPs

★★★★★

The Tower of Sparrows

Data sourced from MITRE ATT&CK. For educational purposes.