Ke3chang
G00042 reportsaliases · Ke3chang · APT15 · Mirage · Vixen Panda · GREF · Playful Dragon · RoyalAPT · NICKEL · Nylon Typhoon
2
Reports
6
Techniques
5
Tactics
6
Countries
100%
Hunt coverage
9
Aliases
Analyst assessment — key judgments
- Signature techniques: T1589.001 (Credentials), T1053.005 (Scheduled Task), T1204.002 (Malicious File).
- Primary targeting: RU, CN, AU, US.
- Resurgent after a quiet period: 1 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 4 new technique(s), 82 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 100% of 6 observed techniques (0 gap(s)).
- Assessment confidence: medium (61).
Activity & trend
ResurgentLast 30d: 1 vs 0 prior (+100%)· first reported 2026-04-23 · last 2026-07-03
0
7d
1
30d
2
90d
2
All
0.2
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
New techniques
T1053.005T1204.002T1588.006T1059.001Targeting gained
BRRUNew infrastructure
5d5c3e483c5e544260ce98fc29fbf1927141917cba2eee2b4d31107faccf3a39f5c6434ee5f7578faa3bc1257e1c9226c019797a00fd56edb1f468ac0a598510a0ec7a8e61eff3f445a7455b3aef9fbb7db9c688c620e54e8c69b7e52a7579fb90378881856abfa47d7745c0a3ef9dc81dba3e505491a260a44c867902c3296e1096268fa2b3d454c86cf851cb782319f2ab09d7e7a375a192508a5014aa2ee40041fd1b2358cd08dbcbc28ea8fc3d20894332174f536c2e1efeda05cba79f8bOverview
Analyst triage
Intelligence summary
Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1589.001 · Credentialsconf 652
- T1053.005 · Scheduled Taskconf 601
- T1204.002 · Malicious Fileconf 601
- T1588.006 · Vulnerabilitiesconf 601
- T1059.001 · PowerShellconf 601
- T1556.006 · Multi-Factor Authenticationconf 601evidence: Critical minerals and cyber operations
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|