TIARAS - Velvet Ant

Threat Actor Profile

High APT

Description

Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.(Citation: Sygnia VelvetAnt 2024A)(Citation: Sygnia VelvetAnt 2024B)

Confidence Score

90%

Known Aliases

Velvet Ant

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (22)

T1071 - Application Layer Protocol

Command and Control

T1090.001 - Internal Proxy

Command and Control

T1132 - Data Encoding

Command and Control

T1571 - Non-Standard Port

Command and Control

T1573.002 - Asymmetric Cryptography

Command and Control

T1040 - Network Sniffing

Credential Access

T1036.005 - Match Legitimate Resource Name or Locat…

Defense Evasion

T1055 - Process Injection

Defense Evasion

T1078.003 - Local Accounts

Defense Evasion

T1211 - Exploitation for Defense Evasion

Defense Evasion

T1562.001 - Disable or Modify Tools

Defense Evasion

T1562.004 - Disable or Modify System Firewall

Defense Evasion

T1049 - System Network Connections Discovery

Discovery

T1083 - File and Directory Discovery

Discovery

T1047 - Windows Management Instrumentation

Execution

T1059.004 - Unix Shell

Execution

T1569.002 - Service Execution

Execution

T1021.002 - SMB/Windows Admin Shares

Lateral Movement

T1570 - Lateral Tool Transfer

Lateral Movement

T1037.004 - RC Scripts

Persistence

T1133 - External Remote Services

Persistence

T1574.001 - DLL

Persistence

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': ['Velvet Ant'],
 'created': '2025-03-14T19:21:17.470Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Velvet Ant](https://attack.mitre.org/groups/G1047) is a '
                'threat actor operating since at least 2021. [Velvet '
                'Ant](https://attack.mitre.org/groups/G1047) is associated '
                'with complex persistence mechanisms, the targeting of network '
                'devices and appliances during operations, and the use of zero '
                'day exploits.(Citation: Sygnia VelvetAnt 2024A)(Citation: '
                'Sygnia VelvetAnt 2024B)',
 'external_references': [{'external_id': 'G1047',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1047'},
                         {'description': 'Sygnia Team. (2024, July 1). '
                                         'China-Nexus Threat Group ‘Velvet '
                                         'Ant’ Exploits Cisco Zero-Day '
                                         '(CVE-2024-20399) to Compromise Nexus '
                                         'Switch Devices – Advisory for '
                                         'Mitigation and Response. Retrieved '
                                         'March 14, 2025.',
                          'source_name': 'Sygnia VelvetAnt 2024B',
                          'url': 'https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/'},
                         {'description': 'Sygnia Team. (2024, June 3). '
                                         'China-Nexus Threat Group ‘Velvet '
                                         'Ant’ Abuses F5 Load Balancers for '
                                         'Persistence. Retrieved March 14, '
                                         '2025.',
                          'source_name': 'Sygnia VelvetAnt 2024A',
                          'url': 'https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/'}],
 'id': 'intrusion-set--e1fc262c-dad2-4b82-abda-5f08dd134971',
 'modified': '2025-04-04T17:24:17.983Z',
 'name': 'Velvet Ant',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Oren Biderman, Sygnia', 'Amnon Kushnir, Sygnia'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}

Quick Actions

Related TTPs (22)

Application Layer Protocol
Command and Control

Internal Proxy
Command and Control

Data Encoding
Command and Control

Non-Standard Port
Command and Control

Asymmetric Cryptography
Command and Control

View All 22 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Known Aliases

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (22)

T1071 - Application Layer Protocol

T1090.001 - Internal Proxy

T1132 - Data Encoding

T1571 - Non-Standard Port

T1573.002 - Asymmetric Cryptography

T1040 - Network Sniffing

T1036.005 - Match Legitimate Resource Name or Locat…

T1055 - Process Injection

T1078.003 - Local Accounts

T1211 - Exploitation for Defense Evasion

T1562.001 - Disable or Modify Tools

T1562.004 - Disable or Modify System Firewall

T1049 - System Network Connections Discovery

T1083 - File and Directory Discovery

T1047 - Windows Management Instrumentation

T1059.004 - Unix Shell

T1569.002 - Service Execution

T1021.002 - SMB/Windows Admin Shares

T1570 - Lateral Tool Transfer

T1037.004 - RC Scripts

T1133 - External Remote Services

T1574.001 - DLL

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (22)

Please wait…