Picus Labs has enriched the Picus Threat Library with new simulations that mirror malware and techniques used in the A41APT espionage campaign attributed to APT10, also known as Cloud Hopper, Red Apollo, CNVX, Stone Panda, MenuPass, and Potassium. Active since 2006, APT10 is widely assessed as linked to the Tianjin bureau of China’s Ministry of State Security [1]. The group has conducted long running operations across more than 30 countries in Asia, Europe, North America, and Africa. Its targeting spans government, defense, energy, financial services, aerospace, healthcare, telecommunications, and managed service providers, reflecting a focus on strategically valuable data and supply chain access.
To support realistic validation, the updated scenarios emulate APT10’s tradecraft across initial access, persistence, lateral movement, and data exfiltration. Reported toolsets used by the group include BloodHound for Active Directory mapping, China Chopper and TwoFace style web shells for footholds, Cobalt Strike for post exploitation beacons, Derusbi as a custom backdoor, Mimikatz and LaZagne for credential theft, PowerSploit and PowerView for offensive PowerShell actions, PsExec for remote execution, certutil for staging and transfer, and utilities such as pwdump for extracting hashes. By reproducing these behaviors and mapping them to MITRE ATT&CK, Picus helps teams measure real detection coverage across EDR, NDR, SIEM, and WAF, identify control gaps, and prioritize mitigations. Organizations can use these simulations to verify that logging, analytics, and response playbooks detect APT10 style activity early, contain lateral movement, and protect high value systems before data can be staged and exfiltrated.
A41APT is a long-running espionage campaign with activities detected from March 2019 [2]. Most of the used malware families in this campaign are fileless malware that have not been discovered before. The delivered payloads are SodaMaster (a.k.a DelfsCake, dfls, and DARKTOWN), P8RAT (a.k.a GreetCake, and HEAVYPOT) and FYAnti.
Picus Labs has updated the Picus Threat Library with the following malware used in the A41APT of the APT10 threat group:
|
Picus ID |
Threat Name |
|
623353 |
P8RAT Trojan used by APT10 Threat Group in A41APT Campaing .DLL File Download Variant-1 |
|
775198 |
Sodamaster Loader Trojan used by APT10 Threat Group in A41APT Campaing .DLL File Download Variant-1 |
|
874874 |
Sodamaster Loader Trojan used by APT10 Threat Group in A41APT Campaing .DLL File Download Variant-3 |
|
367130 |
Sodamaster Loader Trojan used by APT10 Threat Group in A41APT Campaing .DLL File Download |
The main function of P8RAT is downloading payloads consisting of PE or shellcode from its C2 service and running these payloads.P8RAT also looks for VBoxService.exe and vmtoolsd.exe processes to determine whether the infected environment is a virtual machine or a physical machine.
Another payload is SodaMaster that downloads malicious DLLs or shellcode and executes the downloaded payloads like P8RAT.
Other Threats of Mustang Panda in Picus Threat Library
Picus Threat Library consists of 44 threats of the APT10 (menuPass) threat group, including:
MITRE ATT&CK Techniques used by Mustang Panda
References
[1] https://www.fbi.gov/wanted/cyber/apt-10-group
[2] https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/