Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Seizes Domains Used by China-Linked APT ‘Nickel’

Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide.

Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide.

The tech giant took over the websites after filing pleadings with the U.S. District Court for the Eastern District of Virginia, which quickly granted an order in this regard.

While the move will prevent the group’s access to some of its victims, it is unlikely to put an end to Nickel’s activities. However, Microsoft does believe that the infrastructure it just seized was used as part of the group’s most recent wave of attacks.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Microsoft says.

In activity Microsoft has been tracking since 2019, Nickel has been using the now seized websites to execute attacks on victims in a total of 29 countries in Europe, Central and South America, the Caribbean, and North America, mostly for harvesting intelligence from government agencies, human rights organizations, and think tanks.

Active since at least 2013 and also tracked as APT15, KE3CHANG, Royal APT, Playful Dragon, and Vixen Panda, the hacking group is likely sponsored by the Chinese government, as its activities often fall in line with China’s geopolitical interests.

The adversary uses vulnerable virtual private network (VPN) appliances (Pulse Secure VPN) and stolen credentials to compromise targets, as well as custom, hard-to-detect malware that helps it with intrusions, surveillance, and data exfiltration.

The threat actor targeted internet-facing web applications on vulnerable, unpatched on-premises Exchange Server and SharePoint systems, but not new vulnerabilities in Microsoft products.

The group was observed gaining long-term access to the target organizations, which allowed it to regularly exfiltrate data of interest, as well as deploying a keylogger to harvest credentials, along with password dumping tools such as Mimikatz, WDigest, NTDSDump, and more.

For command and control purposes, Nickel deployed malware such as Leeson, Neoichor, NullItch, NumbIdea, and Rokum. Of these, Leeson, Neoichor, and NumbIdea rely on Internet Explorer for communication purposes, Microsoft says.

Backdoors deployed by the group can harvest system data (IP address, OS version, language ID, computer name, username), launch processes, download/upload files, and execute shellcode.

“No individual action from Microsoft or anyone else in the industry will stem the tide of attacks we’ve seen from nation-states and cybercriminals working within their borders. We need industry, governments, civil society and others to come together and establish a new consensus for what is and isn’t appropriate behavior in cyberspace,” Microsoft says.

To date, Microsoft filed 24 lawsuits against threat actors, including five against nation-state adversaries, which allowed it to take down roughly 10,000 malicious websites, including 600 employed by state-sponsored hackers. The company says it also blocked the registration of 600,000 additional sites.

Related: Japan, Vietnam Look to Cyber Defense Against China

Related: CIA Creates Working Group on China as Threats Keep Rising

Related: US Intel Warns China Could Dominate Advanced Technologies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet