Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G0004

APT15

Aliases

Ke3chang, Vixen Panda, Playful Dragon, Mirage

Type

State-sponsored cyberespionage group.

Target

Diplomatic Missions, Government, Military

Malware

TidePool, RoyalCli, Ketbra

Country

China China

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for APT15

Who is APT15?

APT15 is a patient and persistent cyberespionage group linked to China. The group has been active since 2010. They have a long history of strategic intelligence-gathering.

Their targeting is very specific. They focus on high-level government and diplomatic groups. This includes various Ministries of Foreign Affairs. They steal political, military, and economic secrets.

Common Tactics and Tools

APT15’s primary method of initial access is spear-phishing. They use well-written emails to hack high-value targets.

The group is known for its advanced and stealthy command-and-control (C2) methods. They especially like to use DNS tunneling, hiding their attack traffic inside normal DNS traffic. This helps them avoid detection for a long time. 

They use an evolving set of custom malware.

  • BS2005 (TidePool): A long-standing backdoor used by the group. It lets attackers run commands, manage files, and extract data.
  • RoyalCli (RoyalDNS): A special backdoor built for DNS tunneling for its C2 communications. This tool is a key part of the group’s focus on stealth.
  • Ketbra: A more recent Remote Access Trojan (RAT) that has been used in Ke3chang’s campaigns. It shows they are always building new tools to bypass modern security.

How to Defend Against APT15

Defending against a stealthy actor like APT15 requires two things.  You must analyze network traffic and protect high-value targets.

  • Analyze DNS traffic: Use security tools that can deeply analyze DNS requests. Look for signs of tunneling, like unusually long domain names or a high number of requests.
  • Specialized phishing training: Provide targeted security awareness training for senior staff and executives. They are the most likely targets of Ke3chang’s spear-phishing campaigns.
  • Implement strong egress filtering: Strictly control all outbound network traffic. By default, servers should not be allowed to communicate with arbitrary external domains. This can disrupt or block C2 communications via DNS tunneling.
  • Harden privileged accounts: Give users only the access they need (the principle of least privilege) and use multi-factor authentication (MFA).  This makes it harder for attackers to move through your network after a hack.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.