Brandefense Academy
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowJANUARY 31, 2026
APT27 has been one of the most prolific and long-running China-aligned Advanced Persistent Threat Groups (APTs) in history, with a sustained history of cyber-espionage operations dating back more than ten years. The cyber security community has many different names by which APT27 has been identified, including BRONZE UNION, Budworm, Circle Typhoon, EMISSARY PANDA, Earth Smilodon, G0027, GreedyTaotie, Group 35, Iron Taurus, Iron Tiger, Linen Typhoon, Lucky Mouse, Red Phoenix, TEMP.Hippo, TG-3390, and ZipToken. APT27 illustrates the fragmentation of vendor naming in the area of cyberspace connected to cyber operations of the Chinese government.
The primary purpose of APT27's campaigns is long-term collection of intelligence, as opposed to disruption, or financial gain. The group has targeted, on a continual basis, Government Agencies, Defense Contractors, Critical Infrastructure, Technology Companies, and Think Tanks across Asia, Europe and North America. This blog article will provide an in-depth Intelligence analysis of APT27's identity, motivation, tactics, Major Operations, and Strategic impact.
Read Customer StoriesThere is broad consensus in the community that APT27 is aligned with the intelligence priorities of the People's Republic of China. There are several indications, both through public indictments and through analysis of technological resources, that APT27 has an association with elements of the military or the intelligence services of China, although the precise command structure is unclear.
TThe community has attributed APT27 to China, and has linked it to activities directed by either the People's Liberation Army (PLA) or Ministry of State Security (MSS) based on the timeframe of the campaigns and the type of target.
TAPT27's activity has been documented since at least 2012, and it has continued to operate up through at least 2025.
TAPT27 is known by a variety of names, including BRONZE UNION, Budworm, Circle Typhoon, EMISSARY PANDA, Earth Smilodon, G0027, GreedyTaotie, Group 35, Iron Taurus, Iron Tiger, Linen Typhoon, Lucky Mouse, Red Phoenix, TEMP.Hippo, TG-3390, and ZipToken.
TThe primary motivation of APT27 is to conduct cyber espionage in furtherance of China's strategic interests. This includes acquiring sensitive information within the political, military, and economic areas that would enhance China's ability to develop its national security strategy, advance its foreign policy goals, and enhance its technological capabilities.
The approach to TTPs undertaken by APT27 is characterized by balance between stable and flexible technologies. While they favour tried-and-true methods, APT27 also utilise select new technology tools amid their operations.
APT27's preferred methods of gaining initial access to victim networks include the use of: – Spearphishing E-mail messages, related to Diplomacy, the Military or Policy – Delivery of Backdoor malware via Malicious links and/or attachments – Exploitation of a Known Vulnerability in Publicly Available Web Servers/Edge Devices – Using fake Credentials Hoarding Web portals that impersonate Real Government/Enterprise Services Phishing remains a core access vector, often tailored to the language and institutional context of the target.
Once inside a network, APT27 deploys a mix of custom and commodity malware, including: – Remote Access Trojans (RATs) such as PlugX and HyperBro variants – Custom loaders and shellcode runners – Tools for credential dumping and system reconnaissance
The group favors lightweight, modular malware that can be easily replaced if detected.
APT27 establishes persistence using: – Registry run keys and scheduled tasks – DLL side‑loading via legitimate software – Web shells on compromised servers – Redundant backdoors to maintain access
These mechanisms allow the group to survive partial remediation efforts.
C2 infrastructure is typically: – Distributed globally across compromised servers – Hidden behind dynamic DNS and frequently rotated domains – Encrypted using HTTPS or custom protocols APT27 often blends malicious traffic with legitimate web traffic to reduce detection.
Defense evasion techniques include: – Obfuscation and encryption of payloads – Use of living‑off‑the‑land binaries (LOLBins) – Avoidance of noisy lateral movement – Selective activation of malware functionality
There is broad consensus in the community that APT27 is aligned with the intelligence priorities of the People's Republic of China. There are several indications, both through public indictments and through analysis of technological resources, that APT27 has an association with elements of the military or the intelligence services of China, although the precise command structure is unclear.
TThe community has attributed APT27 to China, and has linked it to activities directed by either the People's Liberation Army (PLA) or Ministry of State Security (MSS) based on the timeframe of the campaigns and the type of target.
TAPT27's activity has been documented since at least 2012, and it has continued to operate up through at least 2025.
TAPT27 is known by a variety of names, including BRONZE UNION, Budworm, Circle Typhoon, EMISSARY PANDA, Earth Smilodon, G0027, GreedyTaotie, Group 35, Iron Taurus, Iron Tiger, Linen Typhoon, Lucky Mouse, Red Phoenix, TEMP.Hippo, TG-3390, and ZipToken.
TThe primary motivation of APT27 is to conduct cyber espionage in furtherance of China's strategic interests. This includes acquiring sensitive information within the political, military, and economic areas that would enhance China's ability to develop its national security strategy, advance its foreign policy goals, and enhance its technological capabilities.
The approach to TTPs undertaken by APT27 is characterized by balance between stable and flexible technologies. While they favour tried-and-true methods, APT27 also utilise select new technology tools amid their operations.
APT27's preferred methods of gaining initial access to victim networks include the use of: – Spearphishing E-mail messages, related to Diplomacy, the Military or Policy – Delivery of Backdoor malware via Malicious links and/or attachments – Exploitation of a Known Vulnerability in Publicly Available Web Servers/Edge Devices – Using fake Credentials Hoarding Web portals that impersonate Real Government/Enterprise Services Phishing remains a core access vector, often tailored to the language and institutional context of the target.
Once inside a network, APT27 deploys a mix of custom and commodity malware, including: – Remote Access Trojans (RATs) such as PlugX and HyperBro variants – Custom loaders and shellcode runners – Tools for credential dumping and system reconnaissance
The group favors lightweight, modular malware that can be easily replaced if detected.
APT27 establishes persistence using: – Registry run keys and scheduled tasks – DLL side‑loading via legitimate software – Web shells on compromised servers – Redundant backdoors to maintain access
These mechanisms allow the group to survive partial remediation efforts.
C2 infrastructure is typically: – Distributed globally across compromised servers – Hidden behind dynamic DNS and frequently rotated domains – Encrypted using HTTPS or custom protocols APT27 often blends malicious traffic with legitimate web traffic to reduce detection.
Defense evasion techniques include: – Obfuscation and encryption of payloads – Use of living‑off‑the‑land binaries (LOLBins) – Avoidance of noisy lateral movement – Selective activation of malware functionality
Take control of your digital security with an exclusive demo of our powerful threat management platform.
