TIARAS - Threat Group-3390

Threat Actor Profile

High APT

Description

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)

Confidence Score

90%

Known Aliases

Threat Group-3390 Earth Smilodon TG-3390 Emissary Panda BRONZE UNION APT27 Iron Tiger LuckyMouse Linen Typhoon

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (57)

T1005 - Data from Local System

Collection

T1056.001 - Keylogging

Collection

T1074.001 - Local Data Staging

Collection

T1074.002 - Remote Data Staging

Collection

T1119 - Automated Collection

Collection

T1560.002 - Archive via Library

Collection

T1071.001 - Web Protocols

Command and Control

T1105 - Ingress Tool Transfer

Command and Control

T1003.001 - LSASS Memory

Credential Access

T1003.002 - Security Account Manager

Credential Access

T1003.004 - LSA Secrets

Credential Access

T1555.005 - Password Managers

Credential Access

T1027.002 - Software Packing

Defense Evasion

T1027.013 - Encrypted/Encoded File

Defense Evasion

T1027.015 - Compression

Defense Evasion

T1055.012 - Process Hollowing

Defense Evasion

T1070.004 - File Deletion

Defense Evasion

T1070.005 - Network Share Connection Removal

Defense Evasion

T1078 - Valid Accounts

Defense Evasion

T1112 - Modify Registry

Defense Evasion

T1140 - Deobfuscate/Decode Files or Information

Defense Evasion

T1562.002 - Disable Windows Event Logging

Defense Evasion

T1012 - Query Registry

Discovery

T1016 - System Network Configuration Discovery

Discovery

T1018 - Remote System Discovery

Discovery

T1033 - System Owner/User Discovery

Discovery

T1046 - Network Service Discovery

Discovery

T1049 - System Network Connections Discovery

Discovery

T1087.001 - Local Account

Discovery

T1047 - Windows Management Instrumentation

Execution

T1053.002 - At

Execution

T1059.001 - PowerShell

Execution

T1059.003 - Windows Command Shell

Execution

T1203 - Exploitation for Client Execution

Execution

T1204.002 - Malicious File

Execution

T1030 - Data Transfer Size Limits

Exfiltration

T1567.002 - Exfiltration to Cloud Storage

Exfiltration

T1189 - Drive-by Compromise

Initial Access

T1190 - Exploit Public-Facing Application

Initial Access

T1195.002 - Compromise Software Supply Chain

Initial Access

T1199 - Trusted Relationship

Initial Access

T1566.001 - Spearphishing Attachment

Initial Access

T1021.006 - Windows Remote Management

Lateral Movement

T1210 - Exploitation of Remote Services

Lateral Movement

T1133 - External Remote Services

Persistence

T1505.003 - Web Shell

Persistence

T1543.003 - Windows Service

Persistence

T1547.001 - Registry Run Keys / Startup Folder

Persistence

T1574.001 - DLL

Persistence

T1068 - Exploitation for Privilege Escalation

Privilege Escalation

T1548.002 - Bypass User Account Control

Privilege Escalation

T1583.001 - Domains

Resource Development

T1588.002 - Tool

Resource Development

T1588.003 - Code Signing Certificates

Resource Development

T1608.001 - Upload Malware

Resource Development

T1608.002 - Upload Tool

Resource Development

T1608.004 - Drive-by Target

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': ['Threat Group-3390',
             'Earth Smilodon',
             'TG-3390',
             'Emissary Panda',
             'BRONZE UNION',
             'APT27',
             'Iron Tiger',
             'LuckyMouse',
             'Linen Typhoon'],
 'created': '2017-05-31T21:31:58.518Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Threat Group-3390](https://attack.mitre.org/groups/G0027) is '
                'a Chinese threat group that has extensively used strategic '
                'Web compromises to target victims.(Citation: Dell TG-3390) '
                'The group has been active since at least 2010 and has '
                'targeted organizations in the aerospace, government, defense, '
                'technology, energy, manufacturing and gambling/betting '
                'sectors.(Citation: SecureWorks BRONZE UNION June '
                '2017)(Citation: Securelist LuckyMouse June 2018)(Citation: '
                'Trend Micro DRBControl February 2020)',
 'external_references': [{'external_id': 'G0027',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0027'},
                         {'description': '(Citation: Dell TG-3390)(Citation: '
                                         'Hacker News LuckyMouse June 2018)',
                          'source_name': 'Threat Group-3390'},
                         {'description': '(Citation: Dell TG-3390)(Citation: '
                                         'Nccgroup Emissary Panda May '
                                         '2018)(Citation: Hacker News '
                                         'LuckyMouse June 2018)',
                          'source_name': 'TG-3390'},
                         {'description': '(Citation: Gallagher 2015)(Citation: '
                                         'Nccgroup Emissary Panda May '
                                         '2018)(Citation: Securelist '
                                         'LuckyMouse June 2018)(Citation: '
                                         'Hacker News LuckyMouse June '
                                         '2018)(Citation: Unit42 Emissary '
                                         'Panda May 2019)(Citation: Trend '
                                         'Micro Iron Tiger April 2021)',
                          'source_name': 'Emissary Panda'},
                         {'description': '(Citation: Hacker News LuckyMouse '
                                         'June 2018)(Citation: Trend Micro '
                                         'Iron Tiger April 2021)',
                          'source_name': 'Iron Tiger'},
                         {'description': '(Citation: Microsoft Naming '
                                         'Conventions Frequently Updated)',
                          'source_name': 'Linen Typhoon'},
                         {'description': '(Citation: Nccgroup Emissary Panda '
                                         'May 2018)(Citation: Securelist '
                                         'LuckyMouse June 2018)(Citation: '
                                         'Hacker News LuckyMouse June '
                                         '2018)(Citation: Trend Micro Iron '
                                         'Tiger April 2021)',
                          'source_name': 'APT27'},
                         {'description': '(Citation: Securelist LuckyMouse '
                                         'June 2018)(Citation: Hacker News '
                                         'LuckyMouse June 2018)(Citation: '
                                         'Trend Micro Iron Tiger April 2021)',
                          'source_name': 'LuckyMouse'},
                         {'description': '(Citation: SecureWorks BRONZE UNION '
                                         'June 2017)(Citation: Nccgroup '
                                         'Emissary Panda May 2018)',
                          'source_name': 'BRONZE UNION'},
                         {'description': '(Citation: Trend Micro Iron Tiger '
                                         'April 2021)',
                          'source_name': 'Earth Smilodon'},
                         {'description': 'Counter Threat Unit Research Team. '
                                         '(2017, June 27). BRONZE UNION '
                                         'Cyberespionage Persists Despite '
                                         'Disclosures. Retrieved July 13, '
                                         '2017.',
                          'source_name': 'SecureWorks BRONZE UNION June 2017',
                          'url': 'https://www.secureworks.com/research/bronze-union'},
                         {'description': 'Dell SecureWorks Counter Threat Unit '
                                         'Threat Intelligence. (2015, August '
                                         '5). Threat Group-3390 Targets '
                                         'Organizations for Cyberespionage. '
                                         'Retrieved August 18, 2018.',
                          'source_name': 'Dell TG-3390',
                          'url': 'https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage'},
                         {'description': 'Falcone, R. and Lancaster, T. (2019, '
                                         'May 28). Emissary Panda Attacks '
                                         'Middle East Government Sharepoint '
                                         'Servers. Retrieved July 9, 2019.',
                          'source_name': 'Unit42 Emissary Panda May 2019',
                          'url': 'https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/'},
                         {'description': 'Gallagher, S.. (2015, August 5). '
                                         'Newly discovered Chinese hacking '
                                         'group hacked 100+ websites to use as '
                                         '“watering holes”. Retrieved January '
                                         '25, 2016.',
                          'source_name': 'Gallagher 2015',
                          'url': 'http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/'},
                         {'description': 'Khandelwal, S. (2018, June 14). '
                                         'Chinese Hackers Carried Out '
                                         'Country-Level Watering Hole Attack. '
                                         'Retrieved August 18, 2018.',
                          'source_name': 'Hacker News LuckyMouse June 2018',
                          'url': 'https://thehackernews.com/2018/06/chinese-watering-hole-attack.html'},
                         {'description': 'Legezo, D. (2018, June 13). '
                                         'LuckyMouse hits national data center '
                                         'to organize country-level '
                                         'waterholing campaign. Retrieved '
                                         'August 18, 2018.',
                          'source_name': 'Securelist LuckyMouse June 2018',
                          'url': 'https://securelist.com/luckymouse-hits-national-data-center/86083/'},
                         {'description': 'Lunghi, D. and Lu, K. (2021, April '
                                         '9). Iron Tiger APT Updates Toolkit '
                                         'With Evolved SysUpdate Malware. '
                                         'Retrieved November 12, 2021.',
                          'source_name': 'Trend Micro Iron Tiger April 2021',
                          'url': 'https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html'},
                         {'description': 'Lunghi, D. et al. (2020, February). '
                                         'Uncovering DRBControl. Retrieved '
                                         'November 12, 2021.',
                          'source_name': 'Trend Micro DRBControl February 2020',
                          'url': 'https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf'},
                         {'description': 'Microsoft. (2025, September 8). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved September 10, 2025.',
                          'source_name': 'Microsoft Naming Conventions '
                                         'Frequently Updated',
                          'url': 'https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming'},
                         {'description': 'Pantazopoulos, N., Henry T. (2018, '
                                         'May 18). Emissary Panda – A '
                                         'potential new malicious tool. '
                                         'Retrieved June 25, 2018.',
                          'source_name': 'Nccgroup Emissary Panda May 2018',
                          'url': 'https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/'}],
 'id': 'intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c',
 'modified': '2025-10-15T20:24:59.798Z',
 'name': 'Threat Group-3390',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['Daniyal Naeem, BT Security',
                          'Kyaw Pyiyt Htet, @KyawPyiytHtet'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '3.0'}

Quick Actions

Related TTPs (57)

Data from Local System
Collection

Keylogging
Collection

Local Data Staging
Collection

Remote Data Staging
Collection

Automated Collection
Collection

View All 57 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Known Aliases

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (57)

T1005 - Data from Local System

T1056.001 - Keylogging

T1074.001 - Local Data Staging

T1074.002 - Remote Data Staging

T1119 - Automated Collection

T1560.002 - Archive via Library

T1071.001 - Web Protocols

T1105 - Ingress Tool Transfer

T1003.001 - LSASS Memory

T1003.002 - Security Account Manager

T1003.004 - LSA Secrets

T1555.005 - Password Managers

T1027.002 - Software Packing

T1027.013 - Encrypted/Encoded File

T1027.015 - Compression

T1055.012 - Process Hollowing

T1070.004 - File Deletion

T1070.005 - Network Share Connection Removal

T1078 - Valid Accounts

T1112 - Modify Registry

T1140 - Deobfuscate/Decode Files or Information

T1562.002 - Disable Windows Event Logging

T1012 - Query Registry

T1016 - System Network Configuration Discovery

T1018 - Remote System Discovery

T1033 - System Owner/User Discovery

T1046 - Network Service Discovery

T1049 - System Network Connections Discovery

T1087.001 - Local Account

T1047 - Windows Management Instrumentation

T1053.002 - At

T1059.001 - PowerShell

T1059.003 - Windows Command Shell

T1203 - Exploitation for Client Execution

T1204.002 - Malicious File

T1030 - Data Transfer Size Limits

T1567.002 - Exfiltration to Cloud Storage

T1189 - Drive-by Compromise

T1190 - Exploit Public-Facing Application

T1195.002 - Compromise Software Supply Chain

T1199 - Trusted Relationship

T1566.001 - Spearphishing Attachment

T1021.006 - Windows Remote Management

T1210 - Exploitation of Remote Services

T1133 - External Remote Services

T1505.003 - Web Shell

T1543.003 - Windows Service

T1547.001 - Registry Run Keys / Startup Folder

T1574.001 - DLL

T1068 - Exploitation for Privilege Escalation

T1548.002 - Bypass User Account Control

T1583.001 - Domains

T1588.002 - Tool

T1588.003 - Code Signing Certificates

T1608.001 - Upload Malware

T1608.002 - Upload Tool

T1608.004 - Drive-by Target

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (57)

Please wait…