CeranaKeeper

Description

(ESET) CeranaKeeper has been active since at least the beginning of 2022, mainly targeting governmental entities in Asian countries such as Thailand, Myanmar, the Philippines, Japan, and Taiwan; we believe it is aligned with China’s interests. The group’s relentless hunt for data is remarkable, with its attackers deploying a wide array of tools aimed at extracting as much information as possible from compromised networks. In the operation we analyzed, the group turned compromised machines into update servers, devised a novel technique using GitHub’s pull request and issue comment features to create a stealthy reverse shell, and deployed single-use harvesting components when collecting entire file trees.

CeranaKeeper seems to reuse tools from Mustang Panda, Bronze President.

Names

Name	Name-Giver
CeranaKeeper	ESET

Country

• China

Sponsor

State-sponsored

Motivation

• Information theft and espionage

First Seen

2022

Observed Sectors

• Government

Observed Countries

• Japan
• Myanmar
• Philippines
• Taiwan
• Thailand

Tools

• PUBLOAD
• TONEINS
• TONESHELL

Operations

• 2023: Separating the bee from the panda: CeranaKeeper making a beeline for Thailand https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/

Information

• https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2023-q1-2024.pdf

Other Information

Uuid

36113f3a-c04e-46da-bec8-7d0232e94e2f

Last Card Change

2024-10-24