Don't let cyberattacks disrupt your workflow. See what's at risk.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeThreat LibraryThreat Actors
APT10

APT10 Threat Actor Profile

APT10, also known as MenuPass, Red Apollo, or Stone Panda, is a highly sophisticated cyber espionage group believed to be linked to China’s Ministry of State Security (MSS). Active since at least 2009, APT10 leverages advanced malware, spear-phishing, and supply-chain compromises to target global industries. Their campaigns focus on stealing intellectual property and sensitive data, making them one of the most notorious espionage groups to date.

APT10 Threat Actor Profile

Country of Origin

APT10 is widely attributed to China, with multiple reports linking the group's activities to China’s Ministry of State Security (MSS). Attributions have been publicly confirmed by nations such as the United States, the United Kingdom, and Japan.

Members

Specific membership details remain unknown. However, APT10 appears to employ a combination of skilled operators and developers, likely funded by Chinese state interests. The group uses multiple aliases, including MenuPass, Cicada, and Cloud Hopper, highlighting their adaptability and operational scope.

Leadership

No individual leaders of APT10 have been explicitly named in public reports. However, the group is believed to operate as a contractor team under the direction of the Tianjin State Security Bureau, a division of China's MSS.

APT10 TTPs

Tactics

APT10’s primary motivation is cyber espionage, targeting intellectual property, trade secrets, and sensitive government data. Their strategies focus on stealth and persistence, ensuring prolonged access to victim environments for large-scale data theft.

Techniques

APT10 uses spear-phishing emails with malicious attachments as a common entry point into networks. They compromise Managed Service Providers (MSPs) to indirectly access client networks—an approach heavily employed during the “Cloud Hopper” campaign. The group also exploits vulnerabilities in Virtual Private Networks (VPNs) and remote access tools to gain initial or secondary access.

Procedures

Their custom malware arsenal includes tools such as RedLeaves RAT, Quasar RAT, and PlugX, in addition to credential harvesting tools like Mimikatz. Persistence is maintained through methods such as creating admin accounts, scheduled tasks, and DLL side-loading. They exfiltrate data using encrypted communication channels.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Indicators of Compromise (IoCs)

Known IOCs linked to APT10 include IP addresses and domains associated with RedLeaves and PlugX malware command-and-control traffic, as well as credential harvesting activity using Mimikatz. Anomalous MSP access patterns also serve as a key indicator of compromise.

Key Victims

APT10 has targeted a wide range of industries, including aerospace, defense, healthcare, pharmaceuticals, manufacturing, and telecoms. Among their notable targets are government agencies, think tanks, and major corporations across the United States, Japan, and Western Europe.

Notable Cyberattacks

Operation Cloud Hopper (2014–2017)

APT10 orchestrated the “Cloud Hopper” campaign, breaching MSPs to access the networks of their clients. This supply-chain compromise affected government agencies, defense contractors, and Fortune 500 companies worldwide.

Healthcare & Pharmaceutical Espionage (2017–2018)

APT10 carried out campaigns targeting U.S. healthcare and pharmaceutical companies, likely aiming to steal research and intellectual property.

Japanese Government & Defense Contractors (2021–2022)

APT10 intensified their focus on Japan, targeting government departments, defense firms, and technology companies to extract sensitive data.

Law Enforcement & Arrests

In December 2018, the U.S. Department of Justice indicted two Chinese nationals associated with APT10 for involvement in widespread hacking activities. The operation was publicly attributed to China’s MSS, with joint statements released by the UK, Japan, and other allies.

Glitch effectGlitch effect

How to Defend Against

1

Detection Opportunities: Monitor for anomalies such as unusual RDP/VPN logins, suspicious scheduled tasks, and activity tied to APT10 malware. Pay attention to supply-chain access patterns.

2

Mitigations: Apply Multi-Factor Authentication (MFA) on all external access points, enforce least privilege for user accounts, and regularly patch remote access tools. Network segmentation and endpoint monitoring can also help reduce risk. Huntress tools provide proactive defense by identifying and mitigating APT10’s TTPs, ensuring fast response to emerging threats.



References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free