Brandefense Academy
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowJANUARY 30, 2026
The APT3 cyber threat group is one of the earliest groups of today’s Advanced Persistent Threat Groups and was instrumental in shaping the tactics, techniques, and operational model of many China-aligned cyber threat groups. For more than a decade APT3 has continued to evolve as an organization, albeit with varied levels of activity over time. In addition to providing a baseline to evaluate the relationship between state intelligence needs and private sector capabilities, APT3 serves as an example of what to expect from similar groups in the future. There are many other terms used to refer to APT3, including, but not limited to, BRONZE MAYFAIR, GOTHIC PANDA, BORON, Boyusec, Brocade Typhoon, Buckeye, TG-0110 and UPS. These multiple terms are the result of different cybersecurity vendors and intelligence agencies conducting research on common activity clusters of APT3.
APT3 (Aptitude Threat Infiltration Group 3), formerly known as Boyusec, is considered to be a part of the Chinese Cyber Espionage Program (CCEP), which has been established since around 2010-11 by China’s State Council and Ministry of State Security, and they have an ongoing association. The relationship between APT3 and Boyusec has provided a unique view on how they collaborate for cyber operations with private companies, plus the fact that APT3 is the only known APT group to have been established in partnership with a commercial cybersecurity organisation (Boyusec.) Both public and corporate intelligence demonstrate that APT3 supports several long-term APT3 objectives.
The main purpose for APT3 has always been to obtain sensitive information through cyber espionage, as opposed to generating revenue through online services. APT3 focuses primarily on obtaining Defensive Technology, Advanced Manufacturing and Critical Infrastructure information, giving them sustained access to high-value networks. The majority of APT3 targeted companies provided or facilitated innovation and policy development; as a result, through these companies, APT3 is able to collect valuable economic and strategic information.
APT3 use sophisticated tactics that advanced for their time, used more innovative than other actors did at that time.
APT3 had a variety of methods used for gaining access, using social engineering techniques through email and exploiting weaknesses in public-facing servers. They were able to weaponize new vulnerabilities very quickly after they were disclosed (in some cases, before a vendor had released patches to a weakness).
In several of their campaigns, they took advantage of watering hole attacks. They compromised the website of an organization with which they were associated and then used those sites to distribute malware selectively to their targets.
APT3 is known for developing and using custom exploit frameworks. The exploit framework was developed and maintained by APT3 and provided them with the capability to perform exploits against different versions of commonly used enterprise software. Using these exploitation frameworks, a user could execute payloads, escalate privileges, bypass security controls, and operate reliably.
APT3’s malware loader was a modular malware loader that allowed an operator to execute specific payloads based on the targeted victim environment and based on the intelligence requirements.
After gaining access into a network, APT3 leveraged alternative methods of gaining repetitive access through the creation of scheduled tasks, install of services, and modification of registry entries. APT3 was adept at exploiting the inner workings of Windows and had a strong knowledge of enterprise networking environments and how they operate; thus allowing them to easily move from one workstation/system within a network to another.
Stealing credentials, utilizing pass-the-hash techniques, and using administrative tools to escalate privileges, were widely used. All of these methods allowed an APT3 operator to gain wider access with minimal effort through less visible and detectable means.
APT3 made extensive use of flexible C2 structures that combined standard web traffic and malicious web traffic through the use of the common HTTP/HTTPS protocols. Domains were created to look like legitimate domains, and the entire infrastructure was continuously changing in order to minimize the chance of detection or identification.
Early in their operations, APT3 conducted numerous early trials using proxy networks and chain-of-multi-hop C2 communication, all of which increased the complexity of defensive operations.
APT3 has a record of multiple types of well-known malware and tool sets that have had an impact on the subsequent China-linked attacks. These tools included custom built backdoors, exploit kits and utilities for stealing user credentials.
One thing that APT3 toolsets has been noted for was their ‘industrial strength’ design – they were built for use in larger enterprise environments (‘multiple environments’). This meant APT3 focused on larger, complex entities (such as defence contractors and industrial companies).
The sophistication of APT3’s tool environment placed APT3 among the most capable APT actors of its day, particularly during its peak years 2012 to 2016.
APT3’s target set is extensive yet consistent with their broader strategy.
APT3 operated on multiple continents, including: U.S., Eur, and E. Asia
The group’s targeting patterns indicate a significant focus on gathering technology and intelligence with long-term benefits.
APT3’s historical cyber espionage campaigns have been quite extensive and covered:
These operations underscore APT3’s historical importance rather than current volume.
Over time, the operational model adopted by APT3 has changed, mostly due to public attribution and subsequent legal action. Most importantly, fewer analysts attribute APT3’s current operations to previous operations, which may suggest that APT3 personnel, tools, or methodologies were incorporated into other groups within the overall China cyber threat environment.
The legacy of APT3 continues today, particularly within newer cyber espionage actors, with APT3’s methods seen as influencing exploit development and enterprise-level intrusive operations developing.
Today, APT3 has been identified as a historically high-threat, yet still relatively low-risk operator. As a low-risk threat actor, many of APT3’s earlier campaigns are now no longer being actively operated, but rather, many organizations will have some level of historical exposure to APT3’s intrusion activity and therefore may continue to have some level of risk resulting from previously compromised systems or stolen intellectual property.
APT3’s activities illustrate that initial investments made to develop further exploit technologies, as well as the discipline used to maintain the integrity of the exploit, can yield long-term operational advantages for an operator.
When defending against threats like APT3, defenders can incorporate several pieces of information from APT3’s defensive strategies:
Understanding how APT3 operated is important for protection against the current threats from actors aligned with Chinese interests in espionage.
Cyber espionage history has APT3 as a unique entity. Several new standards created through APT3’s work serve as a blueprint for state/private sector partnership and many of the ideas currently utilized by Advanced Threat Actors today were developed by APT3.
Currently, APT3 does not exist in the capacity that it once did. However, many companies and agencies are developing their techniques based on APT3’s extensive work, which continues to impact the nature of modern cyber threateners. Cybersecurity defenders can learn about today’s high-end constant threats through examining APT3’s contributions to developing the techniques constituting today’s high-end constant threats.
You can download and review the sheet for all the details!
Take control of your digital security with an exclusive demo of our powerful threat management platform.
