TIARAS - Ke3chang

Threat Actor Profile

High APT

Description

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)

Confidence Score

90%

Known Aliases

Ke3chang APT15 Mirage Vixen Panda GREF Playful Dragon RoyalAPT NICKEL Nylon Typhoon

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (46)

T1005 - Data from Local System

Collection

T1056.001 - Keylogging

Collection

T1114.002 - Remote Email Collection

Collection

T1119 - Automated Collection

Collection

T1213.002 - Sharepoint

Collection

T1560 - Archive Collected Data

Collection

T1560.001 - Archive via Utility

Collection

T1071.001 - Web Protocols

Command and Control

T1071.004 - DNS

Command and Control

T1105 - Ingress Tool Transfer

Command and Control

T1003.001 - LSASS Memory

Credential Access

T1003.002 - Security Account Manager

Credential Access

T1003.003 - NTDS

Credential Access

T1003.004 - LSA Secrets

Credential Access

T1558.001 - Golden Ticket

Credential Access

T1027 - Obfuscated Files or Information

Defense Evasion

T1036.002 - Right-to-Left Override

Defense Evasion

T1036.005 - Match Legitimate Resource Name or Locat…

Defense Evasion

T1078 - Valid Accounts

Defense Evasion

T1078.004 - Cloud Accounts

Defense Evasion

T1140 - Deobfuscate/Decode Files or Information

Defense Evasion

T1007 - System Service Discovery

Discovery

T1016 - System Network Configuration Discovery

Discovery

T1018 - Remote System Discovery

Discovery

T1033 - System Owner/User Discovery

Discovery

T1049 - System Network Connections Discovery

Discovery

T1057 - Process Discovery

Discovery

T1069.002 - Domain Groups

Discovery

T1082 - System Information Discovery

Discovery

T1083 - File and Directory Discovery

Discovery

T1087.001 - Local Account

Discovery

T1087.002 - Domain Account

Discovery

T1614.001 - System Language Discovery

Discovery

T1059 - Command and Scripting Interpreter

Execution

T1059.003 - Windows Command Shell

Execution

T1569.002 - Service Execution

Execution

T1020 - Automated Exfiltration

Exfiltration

T1041 - Exfiltration Over C2 Channel

Exfiltration

T1190 - Exploit Public-Facing Application

Initial Access

T1021.002 - SMB/Windows Admin Shares

Lateral Movement

T1133 - External Remote Services

Persistence

T1543.003 - Windows Service

Persistence

T1547.001 - Registry Run Keys / Startup Folder

Persistence

T1583.005 - Botnet

Resource Development

T1587.001 - Malware

Resource Development

T1588.002 - Tool

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': ['Ke3chang',
             'APT15',
             'Mirage',
             'Vixen Panda',
             'GREF',
             'Playful Dragon',
             'RoyalAPT',
             'NICKEL',
             'Nylon Typhoon'],
 'created': '2017-05-31T21:31:47.177Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat '
                'group attributed to actors operating out of China. '
                '[Ke3chang](https://attack.mitre.org/groups/G0004) has '
                'targeted oil, government, diplomatic, military, and NGOs in '
                'Central and South America, the Caribbean, Europe, and North '
                'America since at least 2010.(Citation: Mandiant Operation '
                'Ke3chang November 2014)(Citation: NCC Group APT15 Alive and '
                'Strong)(Citation: APT15 Intezer June 2018)(Citation: '
                'Microsoft NICKEL December 2021)',
 'external_references': [{'external_id': 'G0004',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0004'},
                         {'description': '(Citation: APT15 Intezer June 2018)',
                          'source_name': 'RoyalAPT'},
                         {'description': '(Citation: Microsoft NICKEL December '
                                         '2021)',
                          'source_name': 'NICKEL'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Nylon Typhoon'},
                         {'description': '(Citation: NCC Group APT15 Alive and '
                                         'Strong)',
                          'source_name': 'APT15'},
                         {'description': '(Citation: NCC Group APT15 Alive and '
                                         'Strong)',
                          'source_name': 'Mirage'},
                         {'description': '(Citation: NCC Group APT15 Alive and '
                                         'Strong)',
                          'source_name': 'GREF'},
                         {'description': '(Citation: NCC Group APT15 Alive and '
                                         'Strong)(Citation: APT15 Intezer June '
                                         '2018)',
                          'source_name': 'Vixen Panda'},
                         {'description': '(Citation: NCC Group APT15 Alive and '
                                         'Strong)(Citation: APT15 Intezer June '
                                         '2018)',
                          'source_name': 'Playful Dragon'},
                         {'description': '(Citation: Villeneuve et al 2014) '
                                         '(Citation: NCC Group APT15 Alive and '
                                         'Strong) (Citation: APT15 Intezer '
                                         'June 2018)',
                          'source_name': 'Ke3chang'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'MSTIC. (2021, December 6). NICKEL '
                                         'targeting government organizations '
                                         'across Latin America and Europe. '
                                         'Retrieved March 18, 2022.',
                          'source_name': 'Microsoft NICKEL December 2021',
                          'url': 'https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe'},
                         {'description': 'Rosenberg, J. (2018, June 14). '
                                         'MirageFox: APT15 Resurfaces With New '
                                         'Tools Based On Old Ones. Retrieved '
                                         'September 21, 2018.',
                          'source_name': 'APT15 Intezer June 2018',
                          'url': 'https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/'},
                         {'description': 'Smallridge, R. (2018, March 10). '
                                         'APT15 is alive and strong: An '
                                         'analysis of RoyalCli and RoyalDNS. '
                                         'Retrieved April 4, 2018.',
                          'source_name': 'NCC Group APT15 Alive and Strong',
                          'url': 'https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/'},
                         {'description': 'Villeneuve, N., Bennett, J. T., '
                                         'Moran, N., Haq, T., Scott, M., & '
                                         'Geers, K. (2014). OPERATION '
                                         '“KE3CHANG”: Targeted Attacks Against '
                                         'Ministries of Foreign Affairs. '
                                         'Retrieved November 12, 2014.',
                          'source_name': 'Mandiant Operation Ke3chang November '
                                         '2014',
                          'url': 'https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs'},
                         {'description': 'Villeneuve, N., Bennett, J. T., '
                                         'Moran, N., Haq, T., Scott, M., & '
                                         'Geers, K. (2014). OPERATION '
                                         '“KE3CHANG”: Targeted Attacks Against '
                                         'Ministries of Foreign Affairs. '
                                         'Retrieved November 12, 2014.',
                          'source_name': 'Villeneuve et al 2014',
                          'url': 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf'}],
 'id': 'intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c',
 'modified': '2025-04-04T17:08:55.617Z',
 'name': 'Ke3chang',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Pooja Natarajan, NEC Corporation India',
                          'Manikantan Srinivasan, NEC Corporation India',
                          'Hiroki Nagahama, NEC Corporation'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '3.1'}

Quick Actions

Related TTPs (46)

Data from Local System
Collection

Keylogging
Collection

Remote Email Collection
Collection

Automated Collection
Collection

Sharepoint
Collection

View All 46 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Known Aliases

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (46)

T1005 - Data from Local System

T1056.001 - Keylogging

T1114.002 - Remote Email Collection

T1119 - Automated Collection

T1213.002 - Sharepoint

T1560 - Archive Collected Data

T1560.001 - Archive via Utility

T1071.001 - Web Protocols

T1071.004 - DNS

T1105 - Ingress Tool Transfer

T1003.001 - LSASS Memory

T1003.002 - Security Account Manager

T1003.003 - NTDS

T1003.004 - LSA Secrets

T1558.001 - Golden Ticket

T1027 - Obfuscated Files or Information

T1036.002 - Right-to-Left Override

T1036.005 - Match Legitimate Resource Name or Locat…

T1078 - Valid Accounts

T1078.004 - Cloud Accounts

T1140 - Deobfuscate/Decode Files or Information

T1007 - System Service Discovery

T1016 - System Network Configuration Discovery

T1018 - Remote System Discovery

T1033 - System Owner/User Discovery

T1049 - System Network Connections Discovery

T1057 - Process Discovery

T1069.002 - Domain Groups

T1082 - System Information Discovery

T1083 - File and Directory Discovery

T1087.001 - Local Account

T1087.002 - Domain Account

T1614.001 - System Language Discovery

T1059 - Command and Scripting Interpreter

T1059.003 - Windows Command Shell

T1569.002 - Service Execution

T1020 - Automated Exfiltration

T1041 - Exfiltration Over C2 Channel

T1190 - Exploit Public-Facing Application

T1021.002 - SMB/Windows Admin Shares

T1133 - External Remote Services

T1543.003 - Windows Service

T1547.001 - Registry Run Keys / Startup Folder

T1583.005 - Botnet

T1587.001 - Malware

T1588.002 - Tool

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (46)

Please wait…