TIARAS - APT19

Threat Actor Profile

High APT

Description

APT19is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms.[1]Some analysts trackAPT19andDeep Pandaas the same group, but it is unclear from open source information if the groups are the same.[2][3][4]

Confidence Score

100%

First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 43 minutes ago

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (18)

T1071 - Application Layer Protocol

Command and Control

T1132 - Data Encoding

Command and Control

T1027 - Obfuscated Files or Information

Defense Evasion

T1112 - Modify Registry

Defense Evasion

T1140 - Deobfuscate/Decode Files or Information

Defense Evasion

T1218 - System Binary Proxy Execution

Defense Evasion

T1564 - Hide Artifacts

Defense Evasion

T1016 - System Network Configuration Discovery

Discovery

T1033 - System Owner/User Discovery

Discovery

T1082 - System Information Discovery

Discovery

T1059 - Command and Scripting Interpreter

Execution

T1204 - User Execution

Execution

T1189 - Drive-by Compromise

Initial Access

T1566 - Phishing

Initial Access

T1543 - Create or Modify System Process

Persistence

T1547 - Boot or Logon Autostart Execution

Persistence

T1574 - Hijack Execution Flow

Persistence

T1588 - Obtain Capabilities

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': [],
 'description': 'APT19is a Chinese-based threat group that has targeted a '
                'variety of industries, including defense, finance, energy, '
                'pharmaceutical, telecommunications, high tech, education, '
                'manufacturing, and legal services. In 2017, a phishing '
                'campaign was used to target seven law and investment '
                'firms.[1]Some analysts trackAPT19andDeep Pandaas the same '
                'group, but it is unclear from open source information if the '
                'groups are the same.[2][3][4]',
 'external_references': [{'external_id': 'G0073',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0073/'}],
 'id': 'threat-actor--G0073',
 'metadata': {'crawled_at': '2026-04-29T14:32:38.496632+00:00',
              'mitre_group_id': 'G0073',
              'page_title': 'APT19, Codoso, C0d0so0, Codoso Team, Sunshop '
                            'Group, Group G0073 | MITRE ATT&CK®'},
 'name': 'APT19',
 'type': 'threat-actor'}

Quick Actions

Related TTPs (18)

Application Layer Protocol
Command and Control

Data Encoding
Command and Control

Obfuscated Files or Informati…
Defense Evasion

Modify Registry
Defense Evasion

Deobfuscate/Decode Files or I…
Defense Evasion

View All 18 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (18)

T1071 - Application Layer Protocol

T1132 - Data Encoding

T1027 - Obfuscated Files or Information

T1112 - Modify Registry

T1140 - Deobfuscate/Decode Files or Information

T1218 - System Binary Proxy Execution

T1564 - Hide Artifacts

T1016 - System Network Configuration Discovery

T1033 - System Owner/User Discovery

T1082 - System Information Discovery

T1059 - Command and Scripting Interpreter

T1204 - User Execution

T1189 - Drive-by Compromise

T1566 - Phishing

T1543 - Create or Modify System Process

T1547 - Boot or Logon Autostart Execution

T1574 - Hijack Execution Flow

T1588 - Obtain Capabilities

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (18)

Please wait…