Names | CeranaKeeper (ESET) | |
Country | China | |
Sponsor | State-sponsored | |
Motivation | Information theft and espionage | |
First seen | 2022 | |
Description | (ESET) CeranaKeeper has been active since at least the beginning of 2022, mainly targeting governmental entities in Asian countries such as Thailand, Myanmar, the Philippines, Japan, and Taiwan; we believe it is aligned with China’s interests. The group’s relentless hunt for data is remarkable, with its attackers deploying a wide array of tools aimed at extracting as much information as possible from compromised networks. In the operation we analyzed, the group turned compromised machines into update servers, devised a novel technique using GitHub’s pull request and issue comment features to create a stealthy reverse shell, and deployed single-use harvesting components when collecting entire file trees. CeranaKeeper seems to reuse tools from Mustang Panda, Bronze President. | |
Observed | Sectors: Government. Countries: Japan, Myanmar, Philippines, Taiwan, Thailand. | |
Tools used | PUBLOAD, TONEINS, TONESHELL. | |
Operations performed | 2023 | Separating the bee from the panda: CeranaKeeper making a beeline for Thailand <https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/> |
Information | <https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2023-q1-2024.pdf> |
Last change to this card: 24 October 2024
Download this actor card in PDF or JSON format
Previous: Careto, The Mask
Next: Chafer, APT 39
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |