Picus Threat Library Updated for A41APT Campaign of the APT10 (menuPass) APT Group

Picus Labs has enriched the Picus Threat Library with new simulations that mirror malware and techniques used in the A41APT espionage campaign attributed to APT10, also known as Cloud Hopper, Red Apollo, CNVX, Stone Panda, MenuPass, and Potassium. Active since 2006, APT10 is widely assessed as linked to the Tianjin bureau of China’s Ministry of State Security [1]. The group has conducted long running operations across more than 30 countries in Asia, Europe, North America, and Africa. Its targeting spans government, defense, energy, financial services, aerospace, healthcare, telecommunications, and managed service providers, reflecting a focus on strategically valuable data and supply chain access.

To support realistic validation, the updated scenarios emulate APT10’s tradecraft across initial access, persistence, lateral movement, and data exfiltration. Reported toolsets used by the group include BloodHound for Active Directory mapping, China Chopper and TwoFace style web shells for footholds, Cobalt Strike for post exploitation beacons, Derusbi as a custom backdoor, Mimikatz and LaZagne for credential theft, PowerSploit and PowerView for offensive PowerShell actions, PsExec for remote execution, certutil for staging and transfer, and utilities such as pwdump for extracting hashes. By reproducing these behaviors and mapping them to MITRE ATT&CK, Picus helps teams measure real detection coverage across EDR, NDR, SIEM, and WAF, identify control gaps, and prioritize mitigations. Organizations can use these simulations to verify that logging, analytics, and response playbooks detect APT10 style activity early, contain lateral movement, and protect high value systems before data can be staged and exfiltrated.

A41APT Espionage Campaign

A41APT is a long-running espionage campaign with activities detected from March 2019 [2]. Most of the used malware families in this campaign are fileless malware that have not been discovered before. The delivered payloads are SodaMaster (a.k.a DelfsCake, dfls, and DARKTOWN), P8RAT (a.k.a GreetCake, and HEAVYPOT) and FYAnti.

Picus Labs has updated the Picus Threat Library with the following malware used in the A41APT of the APT10 threat group:

The main function of P8RAT is downloading payloads consisting of PE or shellcode from its C2 service and running these payloads.P8RAT also looks for VBoxService.exe and vmtoolsd.exe processes to determine whether the infected environment is a virtual machine or a physical machine. 

Another payload is SodaMaster that downloads malicious DLLs or shellcode and executes the downloaded payloads like P8RAT.

Other Threats of Mustang Panda in Picus Threat Library

Picus Threat Library consists of 44 threats of the APT10 (menuPass) threat group, including:

• APT10 Threat Group Attack Scenario
• ChChes Trojan used by menuPass (Stone Panda) APT Campaign 
• Redleaves RAT Malware used in menuPass Campaign 
• PlugX (Korplug) RAT used by menuPass (Stone Panda) APT 
• Poison Ivy (PIVY) RAT used by menuPass (Stone Panda) APT

 MITRE ATT&CK Techniques used by Mustang Panda

• T1133 External Remote Services
• T1078 Valid Accounts
• T1059.001 Command and Scripting Interpreter: PowerShell
• T1053.005 Scheduled Task/Job: Scheduled Task
• T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
• T1574.002 Hijack Execution Flow: DLL Side-Loading
• T1078 Scheduled Task/Job: Scheduled Task
• T1070.003 Indicator Removal on Host: Clear Command History
• T1036 Masquerading
• T1497.001 Virtualization/Sandbox Evasion: System Checks
• T1057 Process Discovery
• T1082 System Information Discovery
• T1012 Query Registry
• T1210 Exploitation of Remote Services
• T1071.001 Application Layer Protocol: Web Protocols
• T1132.002 Data Encoding: Non-Standard Encoding

References

[1] https://www.fbi.gov/wanted/cyber/apt-10-group
[2] https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/