THREATOPS Actor Dossier
LIVE ← Dashboard

menuPass

G00451 reports
aliases · menuPass · Cicada · POTASSIUM · Stone Panda · APT10 · Red Apollo · CVNX · HOGFISH · BRONZE RIVERSIDE
Export dossier:
1
Reports
5
Techniques
4
Tactics
2
Countries
100%
Hunt coverage
9
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1053.005 (Scheduled Task), T1204.002 (Malicious File), T1588.006 (Vulnerabilities).
  • Primary targeting: RU, BR.
  • Newly emerged: 1 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 5 new technique(s), 82 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 100% of 5 observed techniques (0 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

Newly emergedLast 30d: 1 vs 0 prior (+100%)· first reported 2026-07-03 · last 2026-07-03
0
7d
1
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1053.005T1204.002T1588.006T1059.001T1589.001
Targeting gained
BRRU
New infrastructure
5d5c3e483c5e544260ce98fc29fbf1927141917cba2eee2b4d31107faccf3a39f5c6434ee5f7578faa3bc1257e1c9226c019797a00fd56edb1f468ac0a598510a0ec7a8e61eff3f445a7455b3aef9fbb7db9c688c620e54e8c69b7e52a7579fb90378881856abfa47d7745c0a3ef9dc81dba3e505491a260a44c867902c3296e1096268fa2b3d454c86cf851cb782319f2ab09d7e7a375a192508a5014aa2ee40041fd1b2358cd08dbcbc28ea8fc3d20894332174f536c2e1efeda05cba79f8b

Overview

Analyst triage
Intelligence summary

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected