Threat Actor Profile
High
APT
Description
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.(Citation: NSA APT5 Citrix Threat Hunting December 2022)(Citation: Microsoft East Asia Threats September 2023)(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats)
Confidence Score
Known Aliases
APT5
Mulberry Typhoon
MANGANESE
BRONZE FLEETWOOD
Keyhole Panda
UNC2630
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (29)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['APT5',
'Mulberry Typhoon',
'MANGANESE',
'BRONZE FLEETWOOD',
'Keyhole Panda',
'UNC2630'],
'created': '2024-02-05T19:27:35.655Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[APT5](https://attack.mitre.org/groups/G1023) is a '
'China-based espionage actor that has been active since at '
'least 2007 primarily targeting the telecommunications, '
'aerospace, and defense industries throughout the U.S., '
'Europe, and Asia. '
'[APT5](https://attack.mitre.org/groups/G1023) has displayed '
'advanced tradecraft and significant interest in compromising '
'networking devices and their underlying software including '
'through the use of zero-day exploits.(Citation: NSA APT5 '
'Citrix Threat Hunting December 2022)(Citation: Microsoft East '
'Asia Threats September 2023)(Citation: Mandiant Pulse Secure '
'Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update '
'May 2021)(Citation: FireEye Southeast Asia Threat Landscape '
'March 2015)(Citation: Mandiant Advanced Persistent Threats) ',
'external_references': [{'external_id': 'G1023',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G1023'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)(Citation: '
'Microsoft East Asia Threats '
'September 2023)',
'source_name': 'Mulberry Typhoon'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)(Citation: NSA APT5 '
'Citrix Threat Hunting December 2022)',
'source_name': 'MANGANESE'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)(Citation: '
'Secureworks BRONZE FLEETWOOD '
'Profile)',
'source_name': 'Keyhole Panda'},
{'description': '(Citation: NSA APT5 Citrix Threat '
'Hunting December 2022)',
'source_name': 'UNC2630'},
{'description': '(Citation: Secureworks BRONZE '
'FLEETWOOD Profile)',
'source_name': 'BRONZE FLEETWOOD'},
{'description': 'FireEye. (2015, March). SOUTHEAST '
'ASIA: AN EVOLVING CYBER THREAT '
'LANDSCAPE. Retrieved February 5, '
'2024.',
'source_name': 'FireEye Southeast Asia Threat '
'Landscape March 2015',
'url': 'https://web.archive.org/web/20220122121143/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf'},
{'description': 'Mandiant. (n.d.). Advanced '
'Persistent Threats (APTs). Retrieved '
'February 14, 2024.',
'source_name': 'Mandiant Advanced Persistent Threats',
'url': 'https://www.mandiant.com/resources/insights/apt-groups'},
{'description': 'Microsoft . (2023, July 12). How '
'Microsoft names threat actors. '
'Retrieved November 17, 2023.',
'source_name': 'Microsoft Threat Actor Naming July '
'2023',
'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
{'description': 'Microsoft Threat Intelligence. '
'(2023, September). Digital threats '
'from East Asia increase in breadth '
'and effectiveness. Retrieved '
'February 5, 2024.',
'source_name': 'Microsoft East Asia Threats '
'September 2023',
'url': 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW'},
{'description': 'National Security Agency. (2022, '
'December). APT5: Citrix ADC Threat '
'Hunting Guidance. Retrieved February '
'5, 2024.',
'source_name': 'NSA APT5 Citrix Threat Hunting '
'December 2022',
'url': 'https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF'},
{'description': 'Perez, D. et al. (2021, April 20). '
'Check Your Pulse: Suspected APT '
'Actors Leverage Authentication '
'Bypass Techniques and Pulse Secure '
'Zero-Day. Retrieved February 5, '
'2024.',
'source_name': 'Mandiant Pulse Secure Zero-Day April '
'2021',
'url': 'https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day'},
{'description': 'Perez, D. et al. (2021, May 27). '
'Re-Checking Your Pulse: Updates on '
'Chinese APT Actors Compromising '
'Pulse Secure VPN Devices. Retrieved '
'February 5, 2024.',
'source_name': 'Mandiant Pulse Secure Update May '
'2021',
'url': 'https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices'},
{'description': 'Secureworks CTU. (n.d.). BRONZE '
'FLEETWOOD. Retrieved February 5, '
'2024.',
'source_name': 'Secureworks BRONZE FLEETWOOD Profile',
'url': 'https://www.secureworks.com/research/threat-profiles/bronze-fleetwood'}],
'id': 'intrusion-set--c1aab4c9-4c34-4f4f-8541-d529e46a07f9',
'modified': '2025-04-04T17:08:23.100Z',
'name': 'APT5',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['@_montysecurity'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.1'}