ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Barium

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Barium

NamesBarium (Microsoft)
Pigfish (iDefense)
Brass Typhoon (Microsoft)
CountryChina China
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2016
Description(Microsoft) Barium begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once Barium has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.

Also see APT 41 and RedGolf, which overlap with Barium.
ObservedSectors: Media, Online video game companies, Technology.
Tools usedBarlaiy, Cobalt Strike, PlugX, Winnti.
Counter operationsNov 2017Microsoft Asks Judge to Take Down Barium Hackers
<https://www.courthousenews.com/wp-content/uploads/2017/11/barium.pdf>
Information<https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html>

Last change to this card: 26 April 2023

Download this actor card in PDF or JSON format

Previous: Bahamut
Next: Berserk Bear, Dragonfly 2.0

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]