Introduction

Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns primarily targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on TEMP.Hex, the Chinese APT Group.

Description

TEMP.Hex is one of the most prolific China-nexus threat actors that has targeted a wide variety of public and private entities around the globe, especially those that align with Beijing’s strategic interests. TEMP.Hex has been observed targeting national elections, world events, conferences, and resources. In recent years, TEMP.Hex has demonstrated an interest in the African Continent and South America, likely in an effort to gather intelligence.

Overview

Aliases: 

Anchor Panda, Bronze President, Comarodragon, Earthpreta, Mustang Panda, Mustangpanda, Pkplug, Red Delta, Statelytaurus, TA416, TEMP.Hex, Twill Typhiin, Winnti Group.

Merged Groups: 

UNC70, UNC116, UNC314, UNC363, UNC452, UNC453, UNC455, UNC456, UNC457, UNC458, UNC459, UNC1066, UNC1353, UNC1422, UNC1505, UNC1759, UNC2011, UNC2012, UNC2213, UNC2218, UNC3424, UNC3578, UNC3716, UNC4125, UNC4401, UNC4426, UNC4510, UNC4577, UNC4668, UNC5149, UNC5286, UNC5402, UNC5429, UNC5432, UNC5614, UNC5841, UNC6074. 

Suspected Groups:

UNC358, UNC5263

Associated Malware: 

BADFLIC, BEACON, BLACKSHEEP, BLASTPAD, BOPEEP, BOTCHDATE, CANDYSHELL, CARRIERPIGEON, CASUMARZU, CHIPSEAL, CLEANBRAKE, COBALT, DOUBLECRUISE, DOUBLEDRIVE, DRABCUBE, EGGROLL, EVILDAHLIA, FLASHBANG, FLASHBULB, FRYCOOK, GETHASHES, HARDPLACE, HARDTRIDENT, HIGHRENT, HOMEUNIX, HYRAN, LIGHTPIPE, LITTLECOW, METERPRETER, MIXDOOR, MONOPOD, MURLOCK, NIGHTMANGO, NJRAT, OADWAY, ODORDAHLIA, OLDFLAT, PIPEDOWN, POISONIVY, RICHBOAT, ROCKETSHIP, ROCKSTEADY, ROOMMATE, SAFERSING, SAWDRAIN, SCHOOLBUS, SNOWFIRE, SOFTLOCK, SOGU, SOGU.SEC, STACKDOWN, SUCCESSFLY, TINYLETTER, TINYNOTE, TINYROOM, TOUGHQUIZ, TWOPIPE, WEAKMASK, WEIRDEGG, WINGSTRUT, WISEPICK, WMIEXEC, XDOOR, ZXSHELL.

Targeted Industries: 

Civil Society & Non-Profits, Aerospace & Defense, Chemicals & Materials, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government, Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Media & Entertainment, Oil & Gas, Pharmaceuticals, Retail, Technology, Telecommunications, and Transportation.

Targeted Countries:

Kenya, Tanzania, Rwanda, Zimbabwe, Australia, Austria, Belgium, Bhutan, Cambodia, China, Czech Republic, Egypt, France, Hong Kong, Hungary, India, Indonesia, Ireland, Italy, Japan, Latvia, Luxembourg, Madagascar, Malaysia, Mauritius, Mongolia, Montenegro, Myanmar, New Zealand, Pakistan, Philippines, Poland, Saudi Arabia, Serbia, Singapore, Slovakia, South Korea, Sri Lanka, Switzerland, Taiwan, Thailand, Ukraine, United Kingdom, United States of America, Vietnam.

Associated Threat Actors: 

FIN12, UNC2565, UNC2727, UNC3944, UNC4120, UNC5636

Associated Vulnerabilities: 

CVE-2012-0158, CVE-2015-1641, CVE-2017-0199

Associated Tools

ADEXPLORER, COBALTSTRIKE, NBTSCAN, OCTOPUS, PROCDUMP, PSEXEC, RAR, SCREENCONNECT, SFXZIP, WEXTRACT, WHOAMI, WINRAR, XCMD

Find the full list of IOCs here