Introduction
Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns primarily targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on TEMP.Hex, the Chinese APT Group.
Description
TEMP.Hex is one of the most prolific China-nexus threat actors that has targeted a wide variety of public and private entities around the globe, especially those that align with Beijing’s strategic interests. TEMP.Hex has been observed targeting national elections, world events, conferences, and resources. In recent years, TEMP.Hex has demonstrated an interest in the African Continent and South America, likely in an effort to gather intelligence.
Overview
Aliases:
Anchor Panda, Bronze President, Comarodragon, Earthpreta, Mustang Panda, Mustangpanda, Pkplug, Red Delta, Statelytaurus, TA416, TEMP.Hex, Twill Typhiin, Winnti Group.
Merged Groups:
UNC70, UNC116, UNC314, UNC363, UNC452, UNC453, UNC455, UNC456, UNC457, UNC458, UNC459, UNC1066, UNC1353, UNC1422, UNC1505, UNC1759, UNC2011, UNC2012, UNC2213, UNC2218, UNC3424, UNC3578, UNC3716, UNC4125, UNC4401, UNC4426, UNC4510, UNC4577, UNC4668, UNC5149, UNC5286, UNC5402, UNC5429, UNC5432, UNC5614, UNC5841, UNC6074.
Suspected Groups:
UNC358, UNC5263
Associated Malware:
BADFLIC, BEACON, BLACKSHEEP, BLASTPAD, BOPEEP, BOTCHDATE, CANDYSHELL, CARRIERPIGEON, CASUMARZU, CHIPSEAL, CLEANBRAKE, COBALT, DOUBLECRUISE, DOUBLEDRIVE, DRABCUBE, EGGROLL, EVILDAHLIA, FLASHBANG, FLASHBULB, FRYCOOK, GETHASHES, HARDPLACE, HARDTRIDENT, HIGHRENT, HOMEUNIX, HYRAN, LIGHTPIPE, LITTLECOW, METERPRETER, MIXDOOR, MONOPOD, MURLOCK, NIGHTMANGO, NJRAT, OADWAY, ODORDAHLIA, OLDFLAT, PIPEDOWN, POISONIVY, RICHBOAT, ROCKETSHIP, ROCKSTEADY, ROOMMATE, SAFERSING, SAWDRAIN, SCHOOLBUS, SNOWFIRE, SOFTLOCK, SOGU, SOGU.SEC, STACKDOWN, SUCCESSFLY, TINYLETTER, TINYNOTE, TINYROOM, TOUGHQUIZ, TWOPIPE, WEAKMASK, WEIRDEGG, WINGSTRUT, WISEPICK, WMIEXEC, XDOOR, ZXSHELL.
Targeted Industries:
Civil Society & Non-Profits, Aerospace & Defense, Chemicals & Materials, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government, Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Media & Entertainment, Oil & Gas, Pharmaceuticals, Retail, Technology, Telecommunications, and Transportation.
Targeted Countries:
Kenya, Tanzania, Rwanda, Zimbabwe, Australia, Austria, Belgium, Bhutan, Cambodia, China, Czech Republic, Egypt, France, Hong Kong, Hungary, India, Indonesia, Ireland, Italy, Japan, Latvia, Luxembourg, Madagascar, Malaysia, Mauritius, Mongolia, Montenegro, Myanmar, New Zealand, Pakistan, Philippines, Poland, Saudi Arabia, Serbia, Singapore, Slovakia, South Korea, Sri Lanka, Switzerland, Taiwan, Thailand, Ukraine, United Kingdom, United States of America, Vietnam.
Associated Threat Actors:
FIN12, UNC2565, UNC2727, UNC3944, UNC4120, UNC5636
Associated Vulnerabilities:
CVE-2012-0158, CVE-2015-1641, CVE-2017-0199
Associated Tools
ADEXPLORER, COBALTSTRIKE, NBTSCAN, OCTOPUS, PROCDUMP, PSEXEC, RAR, SCREENCONNECT, SFXZIP, WEXTRACT, WHOAMI, WINRAR, XCMD
Find the full list of IOCs here