Connect with us

Hi, what are you looking for?



‘Tick’ Cyber Espionage Group Linked to China

The cyber espionage group known as Bronze Butler and Tick continues to target Japan using custom-built malware. Evidence found by researchers suggests that the actor is based in China.

The cyber espionage group known as Bronze Butler and Tick continues to target Japan using custom-built malware. Evidence found by researchers suggests that the actor is based in China.

The first report on Tick was published in April 2016 by Symantec. However, the security firm pointed out at the time that the threat group had likely been active for at least a decade prior to its activities being discovered.

Tick has been known to use a downloader tracked as Gofarer and a data-stealing Trojan dubbed Daserf. A report published by Palo Alto Networks earlier this year linked the custom-built Daserf malware – based on command and control (C&C) servers – to a threat known as Minzen, XXMM, Wali and ShadowWali.

The first Tick attacks detailed by Symantec focused on technology, aquatic engineering, and broadcasting firms in Japan. Palo Alto Networks reported seeing campaigns aimed at defense and high-tech organizations in Japan and South Korea.

A new report published last week by SecureWorks links Tick to China based on several pieces of evidence. For example, the group uses T-SMB Scan tools created by a Chinese developer, an early version of the Minzen backdoor used Chinese characters in a service name, and there are links between Daserf and the NCPH group, which has been tied to the Chinese military.

Experts also pointed out that Tick activity has typically decreased during Chinese national holidays, and targeting intellectual property and economic intelligence from competing countries is something China has been known to do.

The attacks observed by the security firm were aimed at Japanese organizations in the critical infrastructure, manufacturing, heavy industry and international relations sectors. The hackers have mainly targeted intellectual property related to technology and development, business and sales information, emails and meeting schedules, product specifications, and network and system configuration files.

The report from SecureWorks also provides some information on Datper, a piece of malware used in 2016 and 2017, which experts believe was meant to replace Daserf. XXMM has been used by the threat actor in roughly the same period.

Advertisement. Scroll to continue reading.

The Tick group has continued to use spear-phishing and watering hole attacks to breach the systems of its targets. However, SecureWorks has also seen attacks involving a zero-day vulnerability affecting a popular Japanese corporate tool.

The zero-day has been used to breach the systems of numerous Japanese organizations, but the hackers only proceeded with further activities in the case of companies that presented an interest. In some cases, the attackers managed to remain undetected within compromised networks for as much as five years.

Once it no longer needs any information from a target, Tick attempts to remove all evidence of its activities on the compromised networks.

Related: China-Linked Spies Use Recent Zero-Day to Target Financial Firms

Related: Over 600 Malware Samples Linked to Chinese Cyberspy Group

Related: China-linked KHRAT Operators Adopt New Delivery Techniques

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...