Threat Actor Profile
High APT
Description

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Confidence Score
90%
Known Aliases
Chimera
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (59)
T1039 - Data from Network Shared Drive
Collection
T1074.001 - Local Data Staging
Collection
T1074.002 - Remote Data Staging
Collection
T1114.001 - Local Email Collection
Collection
T1114.002 - Remote Email Collection
Collection
T1119 - Automated Collection
Collection
T1213.002 - Sharepoint
Collection
T1560.001 - Archive via Utility
Collection
T1071.001 - Web Protocols
Command and Control
T1071.004 - DNS
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1572 - Protocol Tunneling
Command and Control
T1003.003 - NTDS
Credential Access
T1110.003 - Password Spraying
Credential Access
T1110.004 - Credential Stuffing
Credential Access
T1111 - Multi-Factor Authentication Interception
Credential Access
T1556.001 - Domain Controller Authentication
Credential Access
T1027.010 - Command Obfuscation
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1070.001 - Clear Windows Event Logs
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1070.006 - Timestomp
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1078.002 - Domain Accounts
Defense Evasion
T1550.002 - Pass the Hash
Defense Evasion
T1007 - System Service Discovery
Discovery
T1012 - Query Registry
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1057 - Process Discovery
Discovery
T1069.001 - Local Groups
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.001 - Local Account
Discovery
T1087.002 - Domain Account
Discovery
T1124 - System Time Discovery
Discovery
T1135 - Network Share Discovery
Discovery
T1201 - Password Policy Discovery
Discovery
T1217 - Browser Information Discovery
Discovery
T1482 - Domain Trust Discovery
Discovery
T1680 - Local Storage Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1106 - Native API
Execution
T1569.002 - Service Execution
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1021.006 - Windows Remote Management
Lateral Movement
T1570 - Lateral Tool Transfer
Lateral Movement
T1133 - External Remote Services
Persistence
T1574.001 - DLL
Persistence
T1589.001 - Credentials
Reconnaissance
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Chimera'],
 'created': '2020-08-24T17:01:55.842Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Chimera](https://attack.mitre.org/groups/G0114) is a '
                'suspected China-based threat group that has been active since '
                'at least 2018 targeting the semiconductor industry in Taiwan '
                'as well as data from the airline industry.(Citation: Cycraft '
                'Chimera April 2020)(Citation: NCC Group Chimera January 2021)',
 'external_references': [{'external_id': 'G0114',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0114'},
                         {'description': '(Citation: NCC Group Chimera January '
                                         '2021) ',
                          'source_name': 'Chimera'},
                         {'description': 'Cycraft. (2020, April 15). APT Group '
                                         'Chimera - APT Operation Skeleton key '
                                         'Targets Taiwan Semiconductor '
                                         'Vendors. Retrieved August 24, 2020..',
                          'source_name': 'Cycraft Chimera April 2020',
                          'url': 'https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf'},
                         {'description': 'Jansen, W . (2021, January 12). '
                                         'Abusing cloud services to fly under '
                                         'the radar. Retrieved September 12, '
                                         '2024.',
                          'source_name': 'NCC Group Chimera January 2021',
                          'url': 'https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/'}],
 'id': 'intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c',
 'modified': '2024-09-12T19:24:40.416Z',
 'name': 'Chimera',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.2'}
Quick Actions
Related TTPs (59)
Data from Network Shared Drive
Collection
Local Data Staging
Collection
Remote Data Staging
Collection
Local Email Collection
Collection
Remote Email Collection
Collection
View All 59 TTPs
Back to Threat Actors
Dashboard Home