ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > ChamelGang

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: ChamelGang

NamesChamelGang (Positive Technlogies)
CountryChina China
MotivationInformation theft and espionage
First seen2021
Description(Positive Technologies) In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. We gave the group the name ChamelGang (from the word 'chameleon'), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google. The attackers employed two methods. They acquired domains that imitate legitimate ones. In addition, the APT group placed SSL certificates that also imitated legitimate ones on its servers. To achieve their goal, the attackers used a trending penetration method—supply chain. The group compromised a subsidiary and penetrated the target company's network through it.
ObservedSectors: Aviation, Energy, Government.
Countries: Afghanistan, India, Japan, Lithuania, Nepal, Russia, Taiwan, Turkey, USA, Vietnam.
Tools used7-Zip, BeaconLoader, Cobalt Strike, DoorMe, FRP, ProxyT, Tiny SHell.
Operations performedJun 2023ChamelGang and ChamelDoH: A DNS-over-HTTPS implant

Last change to this card: 22 June 2023

Download this actor card in PDF or JSON format

Previous: Chafer, APT 39
Next: Chimera

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]