Threat Actor Profile
High APT
Description

Suckfly is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)

Confidence Score
90%
Known Aliases
Suckfly
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (5)
T1003 - OS Credential Dumping
Credential Access
T1078 - Valid Accounts
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1046 - Network Service Discovery
Discovery
T1059.003 - Windows Command Shell
Execution
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Suckfly'],
 'created': '2017-05-31T21:32:06.777Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Suckfly](https://attack.mitre.org/groups/G0039) is a '
                'China-based threat group that has been active since at least '
                '2014. (Citation: Symantec Suckfly March 2016)',
 'external_references': [{'external_id': 'G0039',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0039'},
                         {'description': '(Citation: Symantec Suckfly March '
                                         '2016) (Citation: Symantec Suckfly '
                                         'May 2016)',
                          'source_name': 'Suckfly'},
                         {'description': 'DiMaggio, J. (2016, March 15). '
                                         'Suckfly: Revealing the secret life '
                                         'of your code signing certificates. '
                                         'Retrieved August 3, 2016.',
                          'source_name': 'Symantec Suckfly March 2016',
                          'url': 'http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates'},
                         {'description': 'DiMaggio, J. (2016, May 17). Indian '
                                         'organizations targeted in Suckfly '
                                         'attacks. Retrieved August 3, 2016.',
                          'source_name': 'Symantec Suckfly May 2016',
                          'url': 'http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks'}],
 'id': 'intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d',
 'modified': '2025-04-16T20:37:33.565Z',
 'name': 'Suckfly',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.1'}
Quick Actions
Related TTPs (5)
OS Credential Dumping
Credential Access
Valid Accounts
Defense Evasion
Code Signing
Defense Evasion
Network Service Discovery
Discovery
Windows Command Shell
Execution
Back to Threat Actors
Dashboard Home