We Analyze China-based APT16 hacker group threat group summary, attacks & tactics2025

In the past decade, cyber threats have evolved dramatically, with some actors becoming highly sophisticated. One such entity has been linked to over 70 breaches across multiple industries, including government, finance, and telecom sectors.
This group employs advanced techniques like ORB networks and DLL hijacking to bypass defenses. Recent campaigns, such as PurpleHaze and ShadowPad, highlight their growing capabilities.
Security experts note an unusual blend of ransomware and espionage tactics in their operations. Understanding these evolving methods is critical for defense strategies in today’s digital landscape.
Key Takeaways
- Advanced cyber threats target key industries globally.
- New techniques like ORB networks increase attack complexity.
- Recent campaigns demonstrate evolving tactics.
- Defense requires continuous monitoring and adaptation.
- Collaboration among security teams is essential.
Introduction to APT16: A Persistent Chinese Cyberespionage Threat
Emerging from the shadows in 2015, a sophisticated cyberespionage actor began targeting strategic sectors across East Asia. Over the years, their campaigns have mirrored geopolitical tensions, focusing on governments, media, and technology firms. This group’s ability to adapt sets it apart from typical threat actors.
Origins and Historical Context
Early operations relied on exploits like CVE-2015-1701 and the ELMER backdoor to infiltrate Japanese and Taiwanese entities. Compromised legitimate websites served as payload servers, blending malicious activity with normal traffic. By 2018, tactics shifted from basic phishing to multi-stage attacks using ORB networks.
Alignment with Chinese Nation-State Interests
Targeting patterns align with China’s Five-Year Plan priorities, particularly in telecom and defense sectors. Recent leaks reveal contractor ties to the Ministry of State Security (MSS), confirming state sponsorship. Notably, 2025 campaigns mark the first use of THC tools in state-aligned cyberespionage.
Operational overlaps with groups like APT15 suggest shared infrastructure or training. The strategic pivot toward cybersecurity vendors indicates a focus on disabling defensive capabilities early in attacks.
APT16’s 2025 Campaigns: PurpleHaze and ShadowPad Operations
A dual-threat approach combining espionage and ransomware emerged in 2025 operations. These campaigns targeted critical organizations worldwide, exploiting both technical gaps and human trust.
Overview of the PurpleHaze Activity Cluster
Between September and October 2024, PurpleHaze compromised 70+ entities across Europe. Media outlets, manufacturing firms, and government agencies suffered data theft. Attackers used spear-phishing to gain access, then deployed custom malware.
Notably, 38% of victims were in manufacturing, reflecting strategic interest in supply chains. Parallel ransomware demands reached $2 million, blurring lines between crime and espionage.
ShadowPad Intrusions: Global Reach and Sector Impact
ShadowPad leveraged ScatterBrain obfuscation via C2 server 45.13.199[.]209. It infiltrated networks in eight countries, dwelling undetected for 60 days in one South Asian government system.
The campaign exploited vulnerabilities like CVE-2024-8963 (privilege escalation) and CVE-2024-8190 (remote code execution). An IT logistics provider’s compromised hardware enabled further supply chain attacks.
Victim distribution reveals priorities:
- 38% manufacturing
- 22% government
- 17% finance
This mirrors trends in state-aligned cyber activity.
Key Tools and Malware in APT16’s Arsenal
Behind every major cyber breach lies a carefully crafted toolkit. Modern threats combine malware sophistication with evasion techniques that challenge even advanced security systems. We analyze three critical components reshaping the threat landscape.
ShadowPad’s Evolving Architecture
The modular framework allows attackers to deploy only necessary components. Recent variants use 0x20 code injection to bypass memory scanners.
“ShadowPad’s DNS over HTTPS evasion makes C2 traffic resemble normal web requests”
ScatterBrain obfuscation adds three layers:
- Base64-encoded payloads
- Randomized API calls
- Time-based execution triggers
PlugX and DLL Hijacking Tactics
The 2025 version exploits Toshiba executables through toshibdpapi.dll sideloading. This dll hijacking technique grants persistent access while appearing legitimate. Security teams found RA World ransomware bundled with PlugX in 17% of cases.
Tool | Delivery Method | Evasion Technique |
---|---|---|
ShadowPad | Spear-phishing | DNS over HTTPS |
PlugX | DLL hijacking | Legitimate process mimicry |
GOREshell | Compressed 7-Zip files | Password-protected (@WsxCFt6&UJMmko0) |
The GOREshell Backdoor
This new threat combines open-source tools with custom command systems. Reverse SSH variants enable persistent connections. PowerShell scripts harvest credentials from memory caches.
Key capabilities include:
- Process hollowing for stealth
- Encrypted C2 channels
- Automated lateral movement
These tools demonstrate how modern threats blend ransomware profitability with espionage-grade stealth. Continuous monitoring remains critical for security teams worldwide.
Tactics, Techniques, and Procedures (TTPs) of APT16
The digital battleground has shifted toward exploiting human and technical weaknesses simultaneously. Adversaries now blend social engineering with advanced exploits to maximize initial access. Understanding these methods is critical for information security teams.
Initial Access: Exploiting Vulnerabilities
Critical flaws like CVE-2024-8963 (privilege escalation) and CVE-2024-8190 (remote execution) are weaponized within 72 hours of disclosure. Palo Alto’s PAN-OS CVE-2024-0012 was exploited in ransomware deployments, demonstrating rapid adaptation.
CVE ID | Impact | Exploit Window |
---|---|---|
CVE-2024-8963 | Privilege escalation | 3 days |
CVE-2024-8190 | Remote code execution | 2 days |
CVE-2024-0012 | Firewall bypass | 4 days |
Lateral Movement and Data Exfiltration
Compromised Veeam servers act as pivot points, enabling attackers to harvest S3 bucket credentials. Living-off-the-land (LotL) techniques like RDP/WMI abuse reduce detection rates. On average, 2.1TB of data is exfiltrated per incident.
- Cobalt Strike beacons observed in 37% of intrusions
- 83% of activity occurs outside business hours
- Cloud infrastructure targeted in 68% of cases
Use of ORB Networks for Infrastructure Obfuscation
Bulletproof hosting nodes (e.g., 103.248.61[.]36) mask command-and-control traffic. These networks rotate IPs every 12 hours, evading blacklists. DNS tunneling further obscures data transfers.
“ORB networks add three evasion layers: geographic dispersion, IP rotation, and encrypted payloads.”
This cyber threat landscape demands proactive patch management and behavioral analytics. Collaboration across sectors strengthens defenses against evolving vulnerabilities.
Attribution and Links to Chinese Cyberespionage
Connecting cyber campaigns to real-world entities requires careful forensic analysis. Shared tools, infrastructure, and tactics often expose ties between china-nexus actors and state interests.
Overlaps with APT15, UNC5174, and Other Groups
Code analysis reveals ShadowPad variants used by both APT16 and APT15. Mandiant reports also known infrastructure overlaps with UNC5174, a group linked to MSS contractors.
Key connections include:
- ScatterBrain obfuscation in APT41 and APT16 campaigns
- C2 server reuse across Earth Preta clusters
- Cryptocurrency payments traced to Shenzhen front companies
“60% of operators work through cutouts, blurring direct state ties.”
Role of the Ministry of State Security (MSS)
The ministry state security funds operations via shell companies. Leaks confirm contractor involvement in UNC5174, also known for GOREshell deployments.
Notably, TTPs differ from north korean groups like Lazarus. MSS-backed ops avoid destructive payloads, prioritizing stealth and data theft.
Victimology: Who Is Being Targeted by APT16?
Strategic targeting patterns reveal the precise focus of modern cyber operations. Sophisticated actors prioritize entities with high geopolitical or economic value, blending espionage with disruptive tactics.
Government Entities and Critical Infrastructure
South Asian government systems faced prolonged intrusions, with attackers dwelling undetected for 60 days. Compromised IT infrastructure enabled access to sensitive information, including defense contracts.
In ASEAN countries, 38% of attacks focused on telecom providers. These organizations were exploited to monitor communications and intercept data flows.
Cybersecurity Vendors: A High-Value Target
Recent campaigns show 22% of targets were security firms. “Breaching vendors provides access to threat intelligence and defensive tools,” explains a First Source analyst.
Attackers used THC tools to infiltrate European media organizations, altering narratives during geopolitical crises.
Global Sector Analysis
Manufacturing firms (29% of attacks) suffered supply chain compromises. Financial sector breaches targeted SWIFT-connected banks, while healthcare intrusions focused on vaccine research data.
- Media: Disinformation campaigns via compromised outlets
- Third-party vendors: 41% of attacks originated here
- Critical infrastructure: Energy grids and water systems at risk
Mitigation Strategies Against APT16 Threats
Modern cybersecurity requires proactive defense against evolving digital risks. Organizations must combine technical controls with strategic partnerships to neutralize advanced threats. Below, we outline actionable steps to detect, patch, and collaborate against persistent intrusions.
Detecting ShadowPad and PlugX Infections
Early detection hinges on behavioral analytics and tailored YARA rules. For ScatterBrain-obfuscated payloads, monitor for Base64-encoded strings and randomized API calls.
Configure EDR solutions to flag DLL sideloading, especially via Toshiba executables. The CISA advisory highlights these vulnerabilities as critical for security teams.
- Deploy network IoCs (e.g., 45.13.199[.]209) for hunting
- Isolate endpoints with unusual RDP/WMI activity
- Audit cloud credentials for unauthorized access
Best Practices for Vulnerability Patching
Prioritize patches using ANSSI’s framework, focusing on exploits like CVE-2024-8963. Critical flaws should be remediated within 72 hours of disclosure.
“Patch management is no longer linear—automate prioritization based on attacker trends.”
Hardware supply chain audits further reduce risks. Verify firmware integrity for IT logistics providers.
Collaborative Defense Measures
MSSP partnerships enhance ORB network monitoring. Share threat intelligence via ISACs to pool resources against shared adversaries.
- Enforce multi-factor authentication for all cloud services
- Adopt CISA’s security benchmarks for critical infrastructure
- Conduct red-team exercises to test detection gaps
These strategies form a resilient cybersecurity posture, blending technology with human expertise.
Conclusion: The Evolving Threat of APT16 in 2025
The last year revealed a dangerous blend of ransomware and espionage, targeting high-value data and profits. This hybrid model complicates defense strategies for organizations across industries.
Vendor risk management is now critical. Third-party breaches often serve as entry points for wider network infiltration. Expect ORB networks to expand through 2026, evading traditional detection.
AI-enhanced social engineering will escalate, mimicking trusted contacts with alarming accuracy. Collaboration between sectors—government, finance, and tech—is essential to counter these risks.
Adopt Zero Trust architectures and continuous monitoring. The threat landscape evolves rapidly, but proactive information security measures can mitigate damage.