APT27 has been one of the most prolific and long-running China-aligned Advanced Persistent Threat Groups (APTs) in history, with a sustained history of cyber-espionage operations dating back more than ten years. The cyber security community has many different names by which APT27 has been identified, including BRONZE UNION, Budworm, Circle Typhoon, EMISSARY PANDA, Earth Smilodon, G0027, GreedyTaotie, Group 35, Iron Taurus, Iron Tiger, Linen Typhoon, Lucky Mouse, Red Phoenix, TEMP.Hippo, TG-3390, and ZipToken. APT27 illustrates the fragmentation of vendor naming in the area of cyberspace connected to cyber operations of the Chinese government.
The primary purpose of APT27’s campaigns is long-term collection of intelligence, as opposed to disruption, or financial gain. The group has targeted, on a continual basis, Government Agencies, Defense Contractors, Critical Infrastructure, Technology Companies, and Think Tanks across Asia, Europe and North America. This blog article will provide an in-depth Intelligence analysis of APT27’s identity, motivation, tactics, Major Operations, and Strategic impact.
Identity & Motivation
There is broad consensus in the community that APT27 is aligned with the intelligence priorities of the People’s Republic of China. There are several indications, both through public indictments and through analysis of technological resources, that APT27 has an association with elements of the military or the intelligence services of China, although the precise command structure is unclear.
The community has attributed APT27 to China, and has linked it to activities directed by either the People’s Liberation Army (PLA) or Ministry of State Security (MSS) based on the timeframe of the campaigns and the type of target.
APT27’s activity has been documented since at least 2012, and it has continued to operate up through at least 2025.
APT27 is known by a variety of names, including BRONZE UNION, Budworm, Circle Typhoon, EMISSARY PANDA, Earth Smilodon, G0027, GreedyTaotie, Group 35, Iron Taurus, Iron Tiger, Linen Typhoon, Lucky Mouse, Red Phoenix, TEMP.Hippo, TG-3390, and ZipToken.
The primary motivation of APT27 is to conduct cyber espionage in furtherance of China’s strategic interests. This includes acquiring sensitive information within the political, military, and economic areas that would enhance China’s ability to develop its national security strategy, advance its foreign policy goals, and enhance its technological capabilities.
Tactics, Techniques, and Procedures (TTPs)
The approach to TTPs undertaken by APT27 is characterized by balance between stable and flexible technologies. While they favour tried-and-true methods, APT27 also utilise select new technology tools amid their operations.
Initial Access
APT27’s preferred methods of gaining initial access to victim networks include the use of:
– Spearphishing E-mail messages, related to Diplomacy, the Military or Policy
– Delivery of Backdoor malware via Malicious links and/or attachments
– Exploitation of a Known Vulnerability in Publicly Available Web Servers/Edge Devices
– Using fake Credentials Hoarding Web portals that impersonate Real Government/Enterprise Services
Phishing remains a core access vector, often tailored to the language and institutional context of the target.
Execution & Tooling
Once inside a network, APT27 deploys a mix of custom and commodity malware, including: – Remote Access Trojans (RATs) such as PlugX and HyperBro variants – Custom loaders and shellcode runners – Tools for credential dumping and system reconnaissance
The group favors lightweight, modular malware that can be easily replaced if detected.
Persistence
APT27 establishes persistence using: – Registry run keys and scheduled tasks – DLL side‑loading via legitimate software – Web shells on compromised servers – Redundant backdoors to maintain access
These mechanisms allow the group to survive partial remediation efforts.
Command and Control (C2)
C2 infrastructure is typically:
– Distributed globally across compromised servers
– Hidden behind dynamic DNS and frequently rotated domains
– Encrypted using HTTPS or custom protocols
APT27 often blends malicious traffic with legitimate web traffic to reduce detection.
Defense Evasion
Defense evasion techniques include:
– Obfuscation and encryption of payloads
– Use of living‑off‑the‑land binaries (LOLBins)
– Avoidance of noisy lateral movement
– Selective activation of malware functionality
Target Profile
The victimology of APT27 demonstrates that they are very strategic in who they attack.
Primary Sectors:
– Ministries/agencies of Governments
– Defense contractors and Aerospace
– Critical Infrastructure and Energy organizations
– Telecommunications providers
– Technology companies and Research Institutions
Geographic Focus:
– East and Southeast Asia
– Europe
– North America
Targets are typically selected based on their significance to China related to regional security issues, modernization of defense capabilities, or on-going economic initiatives.
Notable Operations
Government and Defense Espionage
APT27 has executed numerous campaigns against government and military systems to collect intelligence on how they plan, procure, and ally with one another with respect to Defense. APT27 typically performs long-term dwell times; their attacks remain undetected for long periods such as months to years.
Critical Infrastructure Intrusions
APT27 has successfully infiltrated many of the country’s largest providers of Electric, Gas, Telecommunications, and Water, presumably to get knowledge of the infrastructure’s resiliency model, their overall Network Topology, and developing their Emergency Response Planning Program.
International Policy and Think Tank Targeting
APT27 has demonstrated a continuous interest in think tanks and policy organizations that study China’s Foreign Relations, Trade Issues, and Regional Security Dynamics.
Long‑Running Web Shell Campaigns
APT27 has frequently used long-term Web Shells on compromised servers for continued access and periodic access to data.
Recent Developments (2023–2025)
The evolution of the APT27 actor over the past two years can be characterised as a slow, uneven development that has recently started to show some signs of greater sophistication.
Some of the recent developments include:
- Utilisation of DLL side loading as a method for bypassing modern endpoint protection
- More precision in choosing targets and resulting in fewer but higher-value victims.
- Improved operational security, including faster infrastructure rotation
- Improved operational security measures, including quicker infrastructure rotation.
Use of the same tools used in overlapping with the other PRC APT actors indicates that they are likely utilising the same resources and/or working together to develop their tools.
While APT27 may not always have been the cutting edge of zero-day exploitation, the group has been effective in its execution of consistently disciplined attacks.
Strategic Impact
The activities of APT27 directly contribute to the overall strategic posture of the Chinese government regarding intelligence gathering.
- Military Advantage: The ability to successfully access data pertaining to military capabilities aids in the process of building military capability and conducting threat assessments.
- Political Insight: The ability to compromise government communications gives APT27 visibility into foreign government decision processes about foreign policy statements and initiatives.
- Economic Benefits: APT27’s ability to steal sensitive technical and industrial data can speed domestic innovation, which has positive benefits on the Chinese economy.
APT27 will continue to persist in its efforts to provide the Chinese government with long-term, sustainable access to intelligence through the means of APT-based cyber espionage.
Conclusion
APT27 continues to be a serious cyber-espionage threat as of 2025. The cybercriminal group has utilized consistent spear-phishing techniques, established reliable malware families, and maintained a disciplined operating methodology to successfully penetrate high-value targets on a global scale. The group’s numerous aliases indicate the scope of its activities, as opposed to a fragmentation within the group, and also highlight how long APT27 has been active across multiple industries and regions.
Organizations that operate in the government, military, critical infrastructure, and technology sectors should treat APT27 as an imminent threat; therefore, government, military, critical infrastructure, and technology organizations should pursue strong email security implementation, continuous monitoring, and a threat-intelligence-driven defense strategy. With the ongoing increase in geopolitical rivalry, it’s reasonable to presume that APT27 will remain a viable and enduring agent of China’s cyber operations.
You can download and review the sheet for all the details!
