Threat Actor Profile
High APT
Description

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018) menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

Confidence Score
90%
Known Aliases
menuPass Cicada POTASSIUM Stone Panda APT10 Red Apollo CVNX HOGFISH BRONZE RIVERSIDE
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (46)
T1005 - Data from Local System
Collection
T1039 - Data from Network Shared Drive
Collection
T1056.001 - Keylogging
Collection
T1074.001 - Local Data Staging
Collection
T1074.002 - Remote Data Staging
Collection
T1119 - Automated Collection
Collection
T1560 - Archive Collected Data
Collection
T1560.001 - Archive via Utility
Collection
T1090.002 - External Proxy
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1568.001 - Fast Flux DNS
Command and Control
T1003.002 - Security Account Manager
Credential Access
T1003.003 - NTDS
Credential Access
T1003.004 - LSA Secrets
Credential Access
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1036.003 - Rename Legitimate Utilities
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1055.012 - Process Hollowing
Defense Evasion
T1070.003 - Clear Command History
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1218.004 - InstallUtil
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1106 - Native API
Execution
T1204.002 - Malicious File
Execution
T1190 - Exploit Public-Facing Application
Initial Access
T1199 - Trusted Relationship
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.004 - SSH
Lateral Movement
T1210 - Exploitation of Remote Services
Lateral Movement
T1574.001 - DLL
Persistence
T1583.001 - Domains
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['menuPass',
             'Cicada',
             'POTASSIUM',
             'Stone Panda',
             'APT10',
             'Red Apollo',
             'CVNX',
             'HOGFISH',
             'BRONZE RIVERSIDE'],
 'created': '2017-05-31T21:32:09.054Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[menuPass](https://attack.mitre.org/groups/G0045) is a threat '
                'group that has been active since at least 2006. Individual '
                'members of [menuPass](https://attack.mitre.org/groups/G0045) '
                'are known to have acted in association with the Chinese '
                "Ministry of State Security's (MSS) Tianjin State Security "
                'Bureau and worked for the Huaying Haitai Science and '
                'Technology Development Company.(Citation: DOJ APT10 Dec '
                '2018)(Citation: District Court of NY APT10 Indictment '
                'December 2018)\n'
                '\n'
                '[menuPass](https://attack.mitre.org/groups/G0045) has '
                'targeted healthcare, defense, aerospace, finance, maritime, '
                'biotechnology, energy, and government sectors globally, with '
                'an emphasis on Japanese organizations. In 2016 and 2017, the '
                'group is known to have targeted managed IT service providers '
                '(MSPs), manufacturing and mining companies, and a '
                'university.(Citation: Palo Alto menuPass Feb 2017)(Citation: '
                'Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison '
                'Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye '
                'APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: '
                'District Court of NY APT10 Indictment December 2018)',
 'external_references': [{'external_id': 'G0045',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0045'},
                         {'description': '(Citation: Accenture Hogfish April '
                                         '2018)',
                          'source_name': 'HOGFISH'},
                         {'description': '(Citation: DOJ APT10 Dec '
                                         '2018)(Citation: District Court of NY '
                                         'APT10 Indictment December 2018)',
                          'source_name': 'POTASSIUM'},
                         {'description': '(Citation: Palo Alto menuPass Feb '
                                         '2017)(Citation: Accenture Hogfish '
                                         'April 2018)(Citation: DOJ APT10 Dec '
                                         '2018)(Citation: District Court of NY '
                                         'APT10 Indictment December '
                                         '2018)(Citation: Symantec Cicada '
                                         'November 2020)',
                          'source_name': 'Stone Panda'},
                         {'description': '(Citation: Palo Alto menuPass Feb '
                                         '2017)(Citation: Accenture Hogfish '
                                         'April 2018)(Citation: FireEye APT10 '
                                         'Sept 2018)(Citation: DOJ APT10 Dec '
                                         '2018)(Citation: Symantec Cicada '
                                         'November 2020)',
                          'source_name': 'APT10'},
                         {'description': '(Citation: Palo Alto menuPass Feb '
                                         '2017)(Citation: DOJ APT10 Dec '
                                         '2018)(Citation: District Court of NY '
                                         'APT10 Indictment December 2018)',
                          'source_name': 'menuPass'},
                         {'description': '(Citation: PWC Cloud Hopper April '
                                         '2017)(Citation: DOJ APT10 Dec '
                                         '2018)(Citation: District Court of NY '
                                         'APT10 Indictment December 2018)',
                          'source_name': 'Red Apollo'},
                         {'description': '(Citation: PWC Cloud Hopper April '
                                         '2017)(Citation: DOJ APT10 Dec '
                                         '2018)(Citation: District Court of NY '
                                         'APT10 Indictment December 2018)',
                          'source_name': 'CVNX'},
                         {'description': '(Citation: SecureWorks BRONZE '
                                         'STARLIGHT Ransomware Operations June '
                                         '2022)',
                          'source_name': 'BRONZE RIVERSIDE'},
                         {'description': '(Citation: Symantec Cicada November '
                                         '2020)',
                          'source_name': 'Cicada'},
                         {'description': 'Accenture Security. (2018, April '
                                         '23). Hogfish Redleaves Campaign. '
                                         'Retrieved July 2, 2018.',
                          'source_name': 'Accenture Hogfish April 2018',
                          'url': 'http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf'},
                         {'description': 'Counter Threat Unit Research Team . '
                                         '(2022, June 23). BRONZE STARLIGHT '
                                         'RANSOMWARE OPERATIONS USE HUI '
                                         'LOADER. Retrieved December 7, 2023.',
                          'source_name': 'SecureWorks BRONZE STARLIGHT '
                                         'Ransomware Operations June 2022',
                          'url': 'https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader'},
                         {'description': 'Crowdstrike. (2013, October 16). '
                                         'CrowdCasts Monthly: You Have an '
                                         'Adversary Problem. Retrieved '
                                         'November 17, 2024.',
                          'source_name': 'Crowdstrike CrowdCast Oct 2013',
                          'url': 'https://www.slideshare.net/slideshow/crowd-casts-monthly-you-have-an-adversary-problem/27262315'},
                         {'description': 'FireEye iSIGHT Intelligence. (2017, '
                                         'April 6). APT10 (MenuPass Group): '
                                         'New Tools, Global Campaign Latest '
                                         'Manifestation of Longstanding '
                                         'Threat. Retrieved June 29, 2017.',
                          'source_name': 'FireEye APT10 April 2017',
                          'url': 'https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html'},
                         {'description': 'FireEye. (2014). POISON IVY: '
                                         'Assessing Damage and Extracting '
                                         'Intelligence. Retrieved September '
                                         '19, 2024.',
                          'source_name': 'FireEye Poison Ivy',
                          'url': 'https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf'},
                         {'description': 'Matsuda, A., Muhammad I. (2018, '
                                         'September 13). APT10 Targeting '
                                         'Japanese Corporations Using Updated '
                                         'TTPs. Retrieved September 17, 2018.',
                          'source_name': 'FireEye APT10 Sept 2018',
                          'url': 'https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html'},
                         {'description': 'Miller-Osborn, J. and Grunzweig, J.. '
                                         '(2017, February 16). menuPass '
                                         'Returns with New Malware and New '
                                         'Attacks Against Japanese Academics '
                                         'and Organizations. Retrieved March '
                                         '1, 2017.',
                          'source_name': 'Palo Alto menuPass Feb 2017',
                          'url': 'http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/'},
                         {'description': 'PwC and BAE Systems. (2017, April). '
                                         'Operation Cloud Hopper. Retrieved '
                                         'April 5, 2017.',
                          'source_name': 'PWC Cloud Hopper April 2017',
                          'url': 'https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf'},
                         {'description': 'Symantec. (2020, November 17). '
                                         'Japan-Linked Organizations Targeted '
                                         'in Long-Running and Sophisticated '
                                         'Attack Campaign. Retrieved December '
                                         '17, 2020.',
                          'source_name': 'Symantec Cicada November 2020',
                          'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage'},
                         {'description': 'United States District Court '
                                         'Southern District of New York (USDC '
                                         'SDNY) . (2018, December 17). United '
                                         'States of America v. Zhu Hua and '
                                         'Zhang Shilong. Retrieved April 17, '
                                         '2019.',
                          'source_name': 'DOJ APT10 Dec 2018',
                          'url': 'https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion'},
                         {'description': 'US District Court Southern District '
                                         'of New York. (2018, December 17). '
                                         'United States v. Zhu Hua Indictment. '
                                         'Retrieved December 17, 2020.',
                          'source_name': 'District Court of NY APT10 '
                                         'Indictment December 2018',
                          'url': 'https://www.justice.gov/opa/page/file/1122671/download'}],
 'id': 'intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f',
 'modified': '2024-11-17T23:19:12.450Z',
 'name': 'menuPass',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Edward Millington', 'Michael Cox'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '3.0'}
Quick Actions
Related TTPs (46)
Data from Local System
Collection
Data from Network Shared Drive
Collection
Keylogging
Collection
Local Data Staging
Collection
Remote Data Staging
Collection
View All 46 TTPs
Back to Threat Actors
Dashboard Home