According to MITRE, this is a China-based cyber threat group which conducted campaigns against Hong Kong media industry.
Recent Documented Time
Poinson Ivy (PIVY) is a remote access tools (RATs) that opens backdoor on target system and grant adversaries full control, namely:
- Rename, delete or execute files
- Modify registry
- Suspend or kill running process
LOWBALL acts as a C2 server which abuses Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute commands on the target system. Comminucation occurs via HTTPs over port 443.
Campaign Mind Map