Introduction
Cyber espionage Group BlackTech has been operating for more than ten years with strong sophistication. The main advantage of BlackTech is the combination of stealth and persistence, which allows it to conduct cyber espionage activities over a longer period of time. It also focuses heavily on compromising network infrastructure instead of merely targeting endpoints. Over the past decade, they have targeted mostly government agencies, military organizations and telecommunications providers within East Asia, Southeast Asia and now increasingly, Western nations as well. BlackTech has also operated under many different names, including CIRCUIT PANDA, Canary Typhoon, Earth Hundun, G0098, HUAPI, Manga Taurus, Palmerworm, Red Djinn, T-APT-03 and Temp.Overboard. Each of these names represents a different point in the evolution of BlackTech as well as different sets of operations with similar objectives. As such, the differences in naming conventions highlight the challenges associated with attributing modern threats within threat intelligence. Although there are many different names associated with BlackTech, there is strong agreement among analysts that these names all reference the same state-sponsored espionage organization based out of China, with a common set of overall objectives and tactics for conducting cyber espionage. In this blog, we present an extensive discussion about BlackTech’s identity, objectives, methods used in their operations, how they have evolved over the course of time, and what strategic impacts they are currently making.
Identity & Motivation
BlackTech has a high degree of confidence that this cyber espionage operation is sponsored by the state and operates in line with the PRC’s strategic interests. Accordingly, its campaigns support intelligence collection priorities of regional security threats, military modernization, international diplomatic positioning, and advancing China’s high technology.
Attribution: BlackTech could be categorized as an advanced persistent threat (APT) group that aligns with China and will likely be operating at the direction and pursuant to the requests of either Chinese intelligence departments or military cyber units.
Active Since: The group has been operating since at least the early 2010s, and active operations are expected to continue through 2025 and beyond.
Motivation: BlackTech is not driven by a need to monetize its operations. Instead, BlackTech’s primary goal is to collect intelligence over time, to establish surveillance of Government and military assets, to maintain access to standard telecommunications and network infrastructures, and to assist in the development of China’s geopolitical ambitions in the region and globally.
The group’s interest and method of operation indicate that BlackTech makes a concerted effort to avoid detection, and as such, it is a cyber intelligence gathering organisation that focuses on the long term and is not designed to perform disruptive cyber operations.
Tactics, Techniques, and Procedures (TTPs)
BlackTech uses in-depth technical skill sets and compromised networks at their heart, as well as being able to implement a vast array of different methods through which to gain access.
Initial Access
BlackTech takes multiple avenues to gain initial access. Some of these methods include:
– Spearphishing campaigns with themes relating to either government agencies or industries
– Exploiting vulnerabilities in services and devices that are accessible via the Internet
– Compromising trusted third-party service providers
– Utilizing weak authentication or incorrectly configured remote management interfaces
BlackTech’s focus on devices at the network edge (i.e., routers/switches/firewalls) has allowed BlackTech to bypass endpoint protection measures.
Execution & Tooling
After gaining access, BlackTech uses custom-made malware and native systems tools to access their targets. Examples include:
– Backdoor malware such as Palmerworm and HUAPI variants
– Modular loaders that allow payloads to be delivered to targeted systems on-the-fly
– The use of scripts and binary files customized to meet the needs of target organizations.
Malware created by BlackTech tends to be lightweight and designed to mimic the activity of normal systems and networks.
Persistence
The BlackTech group has multiple means to enable persistent access to the network environment. Some of those methods include:
• Modifying firmware/system startup scripts of network devices
• Creating hidden administrative accounts
• Installing stealth backdoors within legitimate services
• Employing numerous redundant means to maintain access in the event of a remediation effort
By utilizing these techniques, BlackTech is able to retain access to a compromised environment even after the environment has been partially cleaned up.
Command and Control (C2)
The C2 infrastructure operated by the BlackTech group was designed for stealth. BlackTech utilizes the following techniques to evade detection of its C2 infrastructure:
• All communications are encrypted through either HTTPS or custom-made protocols
• Compromised routers and servers are configured as C2 relay nodes
• The use of frequently rotating domains and IP addresses
BlackTech has also leveraged the victim’s own network devices to act as covert C2 proxy.
Defense Evasion
BlackTech consistently utilizes methods to evade detection through the means of:
• Little or no use of noisy malware
• Reliance on legitimate, administrative functions
• Limited forensic evidence remaining on the hard drive
• Disabling or circumventing any form of logging activity on the compromised device
The above methods dramatically increase BlackTech’s ability to avoid detection and attribution.
Notable Operations
BlackTech has impacted global businesses and government entities significantly through the use of espionage campaigns in various operations.
East Asian Government Intrusions
BlackTech has focused much of its efforts against government resources in East Asia, including targeting:
– Ministry of Defence,
– Government Ministers, and
– Other public sector organizations
BlackTech has been particularly successful at infiltrating these organizations for months or years without detection.
Telecommunications and ISP Compromise
BlackTech is widely known for its focus on targeting companies for telephone and ISP services. By compromising routers and the overall network infrastructure, BlackTech has been able to obtain valuable information such as:
– The ability to “see” an organization’s entire network traffic,
– Access to its users’/customers’ Metadata, and
– Strategic partnerships with national telecommunications companies by being able to strategically manipulate their telecommunications infrastructure.
Such access yields substantial intelligence value and the potential for leverage in the event of geopolitical conflict.
Technology and Manufacturing Espionage
Additionally, BlackTech has targeted Technology and Manufacturing Companies involved in the following technical areas:
– Semiconductor manufacturing and technology
– Networking hardware technology, and
– Advanced Electronic Technology
The data collected through the various methods mentioned above demonstrates the efforts by China to develop domestic innovation and reduce dependency on External Technology.
Use of Compromised Infrastructure as Attack Platforms
On at least a couple of occasions, BlackTech has used Compromised Routers and Servers from a variety of organizations as Staging Vehicles for the execution of additional attacks, thus allowing them to continue to move laterally to additional targeted organizations and obfuscate the Initial Point of Attack.
Recent Developments (2023–2025)
BlackTech, one of many advanced persistent Chinese cyber threat groups that compromised telecommunications infrastructure worldwide, has recently improved both its strategies and its tools for surveillance in the cyber realm.
Infrastructure-Centric Focus: By taking a more infrastructure-centric approach, BlackTech has significantly increased its focus on alternative attack vectors including compromising edge devices, VPNs and routers. These devices are typically among the least monitored in an organisation, and therefore present inherent risk to an organisation’s data.
Improved Operational Security: BlackTech has also demonstrated an improvement in Operational Security (OPSEC) practices by improving compartmentalisation of operations, quicker rotations of its supporting infrastructure and much less reuse of malware artefacts required for successful attacks on targeted organisations.
Overlap with Other China-Aligned Clusters: Analysts have noted some level of overlap between BlackTech and some other PRC-associated threat actors, with some suggesting that these overlaps are indicative of a larger ecosystem of attackers sharing resources or coordinating taskings among one another.
Expanded Geographic Scope: While BlackTech’s main theatre of operations is in East Asia, it is increasing its focus on Europe and North America with a particular interest on the telecommunications and technology sectors.
Strategic Impact
As a strategic threat to both U.S. and allied interests, BlackTech presents a number of national security risks:
National Security Risk: Compromising government and/or military networks creates a loss of confidentiality and will limit their long-term strategic planning capabilities.
Telecommunications Exposure: The potential for access to telecom infrastructure opens the doors for systemic vulnerabilities (surveillance, future disruption) at scale which represents a unique systemic risk.
Economic and Technological Advantage: The cyber sprawl associated with stealing sensitive technology data provides China with an economic and technological advantage needed to achieve its industrial and military long-term goals.
Attribution and Detection Challenges: The unique and sophisticated nature of BlackTech’s approach poses a significant threat to network defence and detection capabilities by organisations.
Conclusion
BlackTech is one of the most skilled and capable of the APT groups loyal to China, and it continues to operate today as a strong APT (advanced persistent threat) group. BlackTech has been able to reach long-term intelligence goals by concentrating on compromising infrastructure, employing persistent operations, and utilizing highly disciplined operational security practices to avoid being detected.
With the continued adoption of edge-computing solutions and increasingly relying on cloud-connected infrastructures, many companies are missing the blind spot of BlackTech’s operations as they modernize their networks. In order to protect against these types of threats, companies will need to implement not only traditional endpoint security measures but also gain: (1) comprehensive visibility into all network-connected devices, (2) rapid scanning and mitigation of discovered vulnerabilities, and (3) intelligence-driven threat “hunting” efforts to identify and counteract these types of campaigners.
Because of the current global climate and due to the flexibility of BlackTech, this APT group will likely be an integral player in China’s ongoing cyber espionage programs for many years beyond 2025.
You can download and review the sheet for all the details!
