Threat Actor Profile
High APT
Description

Operation Wocao described activities carried out by a China-based cyber espionage adversary. Operation Wocao targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. Operation Wocao used similar TTPs and tools to APT20, suggesting a possible overlap.(Citation: FoxIT Wocao December 2019)

Confidence Score
90%
Known Aliases
Operation Wocao
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Operation Wocao'],
 'created': '2020-11-17T20:33:44.273Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Operation Wocao](https://attack.mitre.org/groups/G0116) '
                'described activities carried out by a China-based cyber '
                'espionage adversary. [Operation '
                'Wocao](https://attack.mitre.org/groups/G0116) targeted '
                'entities within the government, managed service providers, '
                'energy, health care, and technology sectors across several '
                'countries, including China, France, Germany, the United '
                'Kingdom, and the United States. [Operation '
                'Wocao](https://attack.mitre.org/groups/G0116) used similar '
                'TTPs and tools to APT20, suggesting a possible '
                'overlap.(Citation: FoxIT Wocao December 2019)',
 'external_references': [{'external_id': 'G0116',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0116'},
                         {'description': '(Citation: FoxIT Wocao December '
                                         '2019)',
                          'source_name': 'Operation Wocao'},
                         {'description': 'Dantzig, M. v., Schamper, E. (2019, '
                                         'December 19). Operation Wocao: '
                                         'Shining a light on one of China’s '
                                         'hidden hacking groups. Retrieved '
                                         'October 8, 2020.',
                          'source_name': 'FoxIT Wocao December 2019',
                          'url': 'https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf'}],
 'id': 'intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871',
 'modified': '2025-04-18T17:59:27.086Z',
 'name': 'Operation Wocao',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Erik Schamper, @Schamperr, Fox-IT',
                          'Maarten van Dantzig, @MaartenVDantzig, Fox-IT'],
 'x_mitre_deprecated': True,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Back to Threat Actors
Dashboard Home