APT10

apt10 · primary source: MITRE · first observed 2005

CN · ChinaState-sponsoredHigh confidencelast cited Dec 19, 2018 · 7y ago

PRC state-sponsored intrusion set publicly attributed by the U.S. DOJ to the Ministry of State Security's Tianjin State Security Bureau, operating through Huaying Haitai. Best known for the Cloud Hopper campaign against managed service providers (MSPs) and cloud platforms — supply-chain compromise to pivot into downstream customer networks across aviation, satellite, automotive, biotech, pharma, and IT services. The U.S. DOJ unsealed an indictment of Zhu Hua and Zhang Shilong in December 2018.

Aliases

Stone PandaCrowdStrikeMenuPassOtherRed ApolloOtherPOTASSIUMMicrosoftBronze RiversideOtherCVNXOther

Motivations

espionage

Target sectors

managed service providersaviationsatellitebiotechnologypharmaceuticaltelecommunications

Target countries

USGBJPDEFRCAAUBRINKR

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

APT10
China
espionage

Capability

Infrastructure

domainnow.yourtrap.com

Victim

managed service providers
aviation
satellite
US
GB
+1 more

MITRE ATT&CK techniques

T1199 T1078.004 T1059.001 T1133

Tools & malware

1 entry

PlugXRAT

Timeline

1 event

IndictmentHigh2018-12-20·U.S. Department of Justice
DOJ unseals indictment of MSS Tianjin operators for APT10 Cloud Hopper
U.S. DOJ unsealed an indictment of Zhu Hua and Zhang Shilong, PRC nationals working through Huaying Haitai, charging them with conspiracy to commit computer intrusions tied to the APT10 Group. The indictment publicly attributed the long-running 'Cloud Hopper' campaign — exploiting managed service providers as a pivot into downstream customer networks — to the MSS Tianjin State Security Bureau, naming over 45 victim organizations across aviation, satellite, biotech, automotive, and IT services.
indictmentsupply-chainmspchina

Indicators of compromise

3 indicators

defangedcsv

Type	Value	First seen	Source
Name	UPPERCUT family · UPPERCUT UPPERCUT (a.k.a. ANEL) backdoor attributed to APT10 / menuPass by MITRE ATT&CK (S0275). Deployed in long-running espionage campaigns against Japanese targets and tracked alongside the Cloud Hopper MSP intrusion set.	Sep 12, 2018	MITRE ATT&CK
Name	RedLeaves family · RedLeaves RedLeaves is a custom RAT first publicly associated with APT10 / menuPass in PwC and BAE Systems' Operation Cloud Hopper report. The Cloud Hopper IOC annex enumerates RedLeaves implant paths such as `C:\windows\system32\RedLeaves.exe` on victim hosts.	Apr 4, 2017	PwC UK / BAE Systems
Domain	domainnow[.]yourtrap[.]com Dynamic-DNS C2 hostname listed in PwC's Operation Cloud Hopper Annex A domain table. Used by APT10 across MSP-pivot intrusions documented in the 2016-2017 Cloud Hopper campaign.	Apr 4, 2017	PwC UK / BAE Systems

Related actors

shared ATT&CK techniques

CN · ChinaAPT403 shared techniques
CN · ChinaAPT312 shared techniques
- T1078.004
- T1133
IR · IranAPT332 shared techniques
- T1078.004
- T1133
KP · DPRKBlueNoroff2 shared techniques
- T1059.001
- T1078.004
?? · UnknownScattered Spider2 shared techniques
- T1078.004
- T1199
RU · Russia8Base1 shared technique
- T1133

References

cite this page

Threat Intel Tracker. (2026-05-19). APT10 — actor profile. Retrieved from https://threatintel.local/actors/apt10

latest cited activity · 2018-12-20 · 3 cataloged indicators