Threat Actor Profile
Description
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Trend Micro Cheerscrypt May 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (19)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Cinnamon Tempest',
'DEV-0401',
'Emperor Dragonfly',
'BRONZE STARLIGHT'],
'created': '2023-12-06T19:53:04.988Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is '
'a China-based threat group that has been active since at '
'least 2021 deploying multiple strains of ransomware based on '
'the leaked [Babuk](https://attack.mitre.org/software/S0638) '
'source code. [Cinnamon '
'Tempest](https://attack.mitre.org/groups/G1021) does not '
'operate their ransomware on an affiliate model or purchase '
'access but appears to act independently in all stages of the '
'attack lifecycle. Based on victimology, the short lifespan of '
'each ransomware variant, and use of malware attributed to '
'government-sponsored threat groups, [Cinnamon '
'Tempest](https://attack.mitre.org/groups/G1021) may be '
'motivated by intellectual property theft or cyberespionage '
'rather than financial gain.(Citation: Microsoft Ransomware as '
'a Service)(Citation: Microsoft Threat Actor Naming July '
'2023)(Citation: Trend Micro Cheerscrypt May 2022)(Citation: '
'SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)',
'external_references': [{'external_id': 'G1021',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G1021'},
{'description': '(Citation: Dell SecureWorks BRONZE '
'STARLIGHT Profile)',
'source_name': 'BRONZE STARLIGHT'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'DEV-0401'},
{'description': '(Citation: Sygnia Emperor Dragonfly '
'October 2022)',
'source_name': 'Emperor Dragonfly'},
{'description': 'Biderman, O. et al. (2022, October '
'3). REVEALING EMPEROR DRAGONFLY: '
'NIGHT SKY AND CHEERSCRYPT - A SINGLE '
'RANSOMWARE GROUP. Retrieved December '
'6, 2023.',
'source_name': 'Sygnia Emperor Dragonfly October '
'2022',
'url': 'https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group'},
{'description': 'Counter Threat Unit Research Team . '
'(2022, June 23). BRONZE STARLIGHT '
'RANSOMWARE OPERATIONS USE HUI '
'LOADER. Retrieved December 7, 2023.',
'source_name': 'SecureWorks BRONZE STARLIGHT '
'Ransomware Operations June 2022',
'url': 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader'},
{'description': 'Dela Cruz, A. et al. (2022, May 25). '
'New Linux-Based Ransomware '
'Cheerscrypt Targeting ESXi Devices '
'Linked to Leaked Babuk Source Code. '
'Retrieved December 19, 2023.',
'source_name': 'Trend Micro Cheerscrypt May 2022',
'url': 'https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html'},
{'description': 'Microsoft . (2023, July 12). How '
'Microsoft names threat actors. '
'Retrieved November 17, 2023.',
'source_name': 'Microsoft Threat Actor Naming July '
'2023',
'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
{'description': 'Microsoft. (2022, May 9). Ransomware '
'as a service: Understanding the '
'cybercrime gig economy and how to '
'protect yourself. Retrieved March '
'10, 2023.',
'source_name': 'Microsoft Ransomware as a Service',
'url': 'https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/'},
{'description': 'SecureWorks. (n.d.). BRONZE '
'STARLIGHT. Retrieved December 6, '
'2023.',
'source_name': 'Dell SecureWorks BRONZE STARLIGHT '
'Profile',
'url': 'https://www.secureworks.com/research/threat-profiles/bronze-starlight'}],
'id': 'intrusion-set--8b1e16f6-e7c8-4b7a-a5df-f81232c13e2f',
'modified': '2024-04-04T23:27:22.311Z',
'name': 'Cinnamon Tempest',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.0'}