Threat Group-3390
G00271 reportsaliases · Threat Group-3390 · Earth Smilodon · TG-3390 · Emissary Panda · BRONZE UNION · APT27 · Iron Tiger · LuckyMouse · Linen Typhoon
1
Reports
12
Techniques
4
Tactics
5
Countries
29%
Hunt coverage
9
Aliases
Analyst assessment — key judgments
- Signature techniques: T1583 (Acquire Infrastructure), T1592 (Gather Victim Host Information), T1588.007 (Artificial Intelligence).
- Primary targeting: CN, KR, KP, RU.
- Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
- Hunt coverage 29% of 42 observed techniques (30 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2026-05-11 · last 2026-05-11
0
7d
0
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months
Overview
Analyst triage
Intelligence summary
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1583 · Acquire Infrastructureconf 601
- T1592 · Gather Victim Host Informationconf 601
- T1588.007 · Artificial Intelligenceconf 601
- T1590.005 · IP Addressesconf 601
- T1587.001 · Malwareconf 601
- T1592.001 · Hardwareconf 601
- T1588.006 · Vulnerabilitiesconf 601
- T1195 · Supply Chain Compromiseconf 601
- T1684 · Social Engineeringconf 601
- T1036 · Masqueradingconf 601
- T1027.016 · Junk Code Insertionconf 601
- T1591.002 · Business Relationshipsconf 601
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|