Velvet Ant

Also known as: Velvet Ant

Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits. Sygnia VelvetAnt 2024A Sygnia VelvetAnt 2024B

🌍 Country China
🧭 ATT&CK G1047

Introduction

Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits. Sygnia VelvetAnt 2024A Sygnia VelvetAnt 2024B

Activities and Tactics

Country of Origin: πŸ‡¨πŸ‡³ China

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • CyberGate:
  • Cyber Eye RAT:
  • Xploit:

MITRE ATT&CK Software

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

[1] mitre-attack [2] Sygnia VelvetAnt 2024B Sygnia Team. (2024, July 1). China-Nexus Threat Group β€˜Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices – Advisory for Mitigation and Response. Retrieved March 14, 2025. [3] Sygnia VelvetAnt 2024A Sygnia Team. (2024, June 3). China-Nexus Threat Group β€˜Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.