Calypso

Description

(Positive Technologies) The PT Expert Security Center first took note of Calypso in March 2019 during threat hunting. Our specialists collected multiple samples of malware used by the group. They have also identified the organizations hit by the attackers, as well as the attackers’ C2 servers.

Our data indicates that the group has been active since at least September 2016. The primary goal of the group is theft of confidential data. Main targets are governmental institutions in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey.

Our data gives reason to believe that the APT group is of Asian origin.

Names

Name	Name-Giver
Calypso	Positive Technologies
Bronze Medley	SecureWorks

Country

• China

Motivation

• Information theft and espionage

First Seen

2016

Observed Sectors

• Government

Observed Countries

• Afghanistan
• Belarus
• Brazil
• India
• Kazakhstan
• Kyrgyzstan
• Mongolia
• Russia
• Thailand
• Turkey
• Ukraine

Tools

• Byeby
• Calypso RAT
• DCSync
• DoublePulsar
• EarthWorm
• EternalBlue
• EternalRomance
• FlyingDutchman
• Hussar
• Mimikatz
• nbtscan
• netcat
• OS_Check_445
• PlugX
• Quarks PwDump
• SysInternals
• TCP Port Scanner
• Whitebird
• ZXPortMap
• Living off the Land

Operations

• 2021-03: Exchange servers under siege from at least 10 APT groups https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
• 2021-08: 4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan https://www.recordedfuture.com/chinese-APT-groups-target-afghan-telecommunications-firm/

Information

• https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/

Other Information

Uuid

f1a566ce-dff3-4f39-b9cb-d7acd82db584

Last Card Change

2021-11-02