THREATOPS Actor Dossier
LIVE ← Dashboard

APT17

G00251 reports
aliases · APT17 · Deputy Dog
Export dossier:
1
Reports
5
Techniques
4
Tactics
2
Countries
100%
Hunt coverage
2
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1053.005 (Scheduled Task), T1204.002 (Malicious File), T1588.006 (Vulnerabilities).
  • Primary targeting: RU, BR.
  • Newly emerged: 1 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 5 new technique(s), 82 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 100% of 5 observed techniques (0 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

Newly emergedLast 30d: 1 vs 0 prior (+100%)· first reported 2026-07-03 · last 2026-07-03
0
7d
1
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1053.005T1204.002T1588.006T1059.001T1589.001
Targeting gained
BRRU
New infrastructure
5d5c3e483c5e544260ce98fc29fbf1927141917cba2eee2b4d31107faccf3a39f5c6434ee5f7578faa3bc1257e1c9226c019797a00fd56edb1f468ac0a598510a0ec7a8e61eff3f445a7455b3aef9fbb7db9c688c620e54e8c69b7e52a7579fb90378881856abfa47d7745c0a3ef9dc81dba3e505491a260a44c867902c3296e1096268fa2b3d454c86cf851cb782319f2ab09d7e7a375a192508a5014aa2ee40041fd1b2358cd08dbcbc28ea8fc3d20894332174f536c2e1efeda05cba79f8b

Overview

Analyst triage
Intelligence summary

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected