Introduction
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: “Velvet Ant” (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object. Velvet Ant is a suspected “China-nexus” espionage group that has notably targeted network devices as part of its operations. In one case involving an unspecified victim located in East Asia, the group was seen abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as a command-and-control mechanism, managing to maintain network persistence for a period of three years. As part of the broader investigation into the group, researchers also observed cases of zero-day exploitation of CVE-2024-20399 in Cisco Nexus network switch devices, which allowed actors to upload and execute previously unknown, custom malware. The researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances “are often not sufficiently protected and monitored”.[Sygnia Velvet Ant June 17 2024][Sygnia Velvet Ant July 1 2024]
Activities and Tactics
Country of Origin: 🇨🇳 China
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- SHIPSHAPE:
- China Chopper:
- Unknown Logger:
- Xploit:
- Archelaus Beta:
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] [Sygnia Velvet Ant June 17 2024 [2] [Sygnia Velvet Ant July 1 2024