^[7][2]

^[7][1]

^[8]

^[7][8]

^[1]

^[9]

APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.^[4]

SPACEHOP Activity has used acquired Virtual Private Servers as control systems for devices within the ORB network.^[9]

APT5 has acquired a network of compromised systems – specifically an ORB (operational relay box) network – for follow on activities.^[9]

APT5 has used the JAR/ZIP file format for exfiltrated files.^[4]

APT5 has used PowerShell to accomplish tasks within targeted environments.^[4]

APT5 has used cmd.exe for execution on compromised systems.^[4]

APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.^[3][4]

APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.^[4]

APT5 has staged data on compromised systems prior to exfiltration often inC:\Users\Public.^[4]

APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers.^[3][4][1][2]

SPACEHOP Activity has enabled the exploitation of CVE-2022-27518 and CVE-2022-27518 for illegitimate access.^[1][9]

APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.^[4]

APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring.^[4]

APT5 has used the THINBLOOD utility to clear SSL VPN log files located at/home/runtime/logs.^[3][4]

APT5 has cleared the command history on targeted ESXi servers.^[4]

APT5 has deleted scripts and web shells to evade detection.^[3][4]

APT5 has modified file timestamps.^[4]

APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.^[5][6]

APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.^[4]

APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with aKB<digits>.zip pattern.^[4]

SPACEHOP Activity leverages a C2 framework sourced from a publicly-available Github repository for administration of relay nodes.^[9]

APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes.APT5 has also dumped clear text passwords and hashes from memory usingMimikatz hosted through an RDP mapped drive.^[4]

APT5 has copied and exfiltrated the SAM Registry hive from targeted systems.^[4]

APT5 has used Windows-based utilities to carry out tasks including tasklist.exe.^[4]

APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality.^[4]

SPACEHOP Activity has routed traffic through chains of compromised network devices to proxy C2 communications.^[9]

APT5 has moved laterally throughout victim environments using RDP.^[4]

APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.^[4]

APT5 has made modifications to the crontab file including in/var/cron/tabs/.^[1]

APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances.^[3][4]

APT5 has used the BLOODMINE utility to collect data on web requests from Pulse Secure Connect logs.^[4]

APT5 has used legitimate account credentials to move laterally through compromised environments.^[3]

APT5 has accessed Microsoft M365 cloud environments using stolen credentials.^[4]