Threat Actor Profile
High APT
Description

APT3is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2]This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3]As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]

Confidence Score
100%
Tags
mitre-attack crawled web-source mitre-group
First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 44 minutes ago

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (40)
T1005 - Data from Local System
Collection
T1056 - Input Capture
Collection
T1074 - Data Staged
Collection
T1560 - Archive Collected Data
Collection
T1090 - Proxy
Command and Control
T1095 - Non-Application Layer Protocol
Command and Control
T1104 - Multi-Stage Channels
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1003 - OS Credential Dumping
Credential Access
T1110 - Brute Force
Credential Access
T1552 - Unsecured Credentials
Credential Access
T1555 - Credentials from Password Stores
Credential Access
T1027 - Obfuscated Files or Information
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1070 - Indicator Removal
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1218 - System Binary Proxy Execution
Defense Evasion
T1564 - Hide Artifacts
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1057 - Process Discovery
Discovery
T1069 - Permission Groups Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087 - Account Discovery
Discovery
T1053 - Scheduled Task/Job
Execution
T1059 - Command and Scripting Interpreter
Execution
T1203 - Exploitation for Client Execution
Execution
T1204 - User Execution
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1566 - Phishing
Initial Access
T1021 - Remote Services
Lateral Movement
T1098 - Account Manipulation
Persistence
T1136 - Create Account
Persistence
T1543 - Create or Modify System Process
Persistence
T1547 - Boot or Logon Autostart Execution
Persistence
T1574 - Hijack Execution Flow
Persistence
T1546 - Event Triggered Execution
Privilege Escalation
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': [],
 'description': 'APT3is a China-based threat group that researchers have '
                "attributed to China's Ministry of State Security.[1][2]This "
                'group is responsible for the campaigns known as Operation '
                'Clandestine Fox, Operation Clandestine Wolf, and Operation '
                'Double Tap.[1][3]As of June 2015, the group appears to have '
                'shifted from targeting primarily US victims to primarily '
                'political organizations in Hong Kong.[4]',
 'external_references': [{'external_id': 'G0022',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0022/'}],
 'id': 'threat-actor--G0022',
 'metadata': {'crawled_at': '2026-04-29T14:32:43.044364+00:00',
              'mitre_group_id': 'G0022',
              'page_title': 'APT3, Gothic Panda, Pirpi, UPS Team, Buckeye, '
                            'Threat Group-0110, TG-0110, Group G0022 | MITRE '
                            'ATT&CK®'},
 'name': 'APT3',
 'type': 'threat-actor'}
Quick Actions
Related TTPs (40)
Data from Local System
Collection
Input Capture
Collection
Data Staged
Collection
Archive Collected Data
Collection
Proxy
Command and Control
View All 40 TTPs
Back to Threat Actors
Dashboard Home