ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > CeranaKeeper

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: CeranaKeeper

NamesCeranaKeeper (ESET)
CountryChina China
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2022
Description(ESET) CeranaKeeper has been active since at least the beginning of 2022, mainly targeting governmental entities in Asian countries such as Thailand, Myanmar, the Philippines, Japan, and Taiwan; we believe it is aligned with China’s interests. The group’s relentless hunt for data is remarkable, with its attackers deploying a wide array of tools aimed at extracting as much information as possible from compromised networks. In the operation we analyzed, the group turned compromised machines into update servers, devised a novel technique using GitHub’s pull request and issue comment features to create a stealthy reverse shell, and deployed single-use harvesting components when collecting entire file trees.

CeranaKeeper seems to reuse tools from Mustang Panda, Bronze President.
ObservedSectors: Government.
Countries: Japan, Myanmar, Philippines, Taiwan, Thailand.
Tools usedPUBLOAD, TONEINS, TONESHELL.
Operations performed2023Separating the bee from the panda: CeranaKeeper making a beeline for Thailand
<https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/>
Information<https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2023-q1-2024.pdf>

Last change to this card: 24 October 2024

Download this actor card in PDF or JSON format

Previous: Careto, The Mask
Next: Chafer, APT 39

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]