Threat Actor Profile
Description
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (14)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['BlackTech', 'Palmerworm'],
'created': '2020-05-05T18:36:45.970Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[BlackTech](https://attack.mitre.org/groups/G0098) is a '
'suspected Chinese cyber espionage group that has primarily '
'targeted organizations in East Asia--particularly Taiwan, '
'Japan, and Hong Kong--and the US since at least 2013. '
'[BlackTech](https://attack.mitre.org/groups/G0098) has used a '
'combination of custom malware, dual-use tools, and living off '
'the land tactics to compromise media, construction, '
'engineering, electronics, and financial company '
'networks.(Citation: TrendMicro BlackTech June 2017)(Citation: '
'Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan '
'BlackTech August 2020)',
'external_references': [{'external_id': 'G0098',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0098'},
{'description': '(Citation: Symantec Palmerworm Sep '
'2020)(Citation: IronNet BlackTech '
'Oct 2021)',
'source_name': 'Palmerworm'},
{'description': 'Bermejo, L., et al. (2017, June 22). '
'Following the Trail of BlackTech’s '
'Cyber Espionage Campaigns. Retrieved '
'May 5, 2020.',
'source_name': 'TrendMicro BlackTech June 2017',
'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/'},
{'description': 'Demboski, M., et al. (2021, October '
'26). China cyber attacks: the '
'current threat landscape. Retrieved '
'March 25, 2022.',
'source_name': 'IronNet BlackTech Oct 2021',
'url': 'https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape'},
{'description': 'Lee, Y. (2020, August 19). Taiwan '
'says China behind cyberattacks on '
'government agencies, emails. '
'Retrieved April 6, 2022.',
'source_name': 'Reuters Taiwan BlackTech August 2020',
'url': 'https://www.reuters.com/article/us-taiwan-cyber-china/taiwan-says-china-behind-cyberattacks-on-government-agencies-emails-idUSKCN25F0JK'},
{'description': 'Threat Intelligence. (2020, '
'September 29). Palmerworm: Espionage '
'Gang Targets the Media, Finance, and '
'Other Sectors. Retrieved March 25, '
'2022.',
'source_name': 'Symantec Palmerworm Sep 2020',
'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt'}],
'id': 'intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8',
'modified': '2025-04-25T19:03:07.787Z',
'name': 'BlackTech',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Tatsuya Daitoku, Cyber Defense Institute, Inc.',
'Hannah S'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '2.0'}