ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Bronze Starlight

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Bronze Starlight

NamesBronze Starlight (SecureWorks)
DEV-0401 (Microsoft)
Cinnamon Tempest (Microsoft)
Operation ChattyGoblin (SentinelLabs)
SLIME34 (?)
CountryChina China
MotivationInformation theft and espionage
First seen2021
Description(SecureWorks) BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites.

CTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on observed tradecraft, including the use of HUI Loader and PlugX which are associated with China-based threat group activity. It is plausible that BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage.
ObservedSectors: Casinos and Gambling.
Countries: Philippines and Southeast Asia.
Tools usedAtomSilo, Cobalt Strike, HUI Loader, LockFile, NightSky, Pandora, PlugX, Rook.
Operations performedMar 2023Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector

Last change to this card: 06 September 2023

Download this actor card in PDF or JSON format

Previous: Bronze Highland
Next: Buhtrap, Ratopak Spider

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]