APT10 Threat Actor Profile
APT10, also known as MenuPass, Red Apollo, or Stone Panda, is a highly sophisticated cyber espionage group believed to be linked to China’s Ministry of State Security (MSS). Active since at least 2009, APT10 leverages advanced malware, spear-phishing, and supply-chain compromises to target global industries. Their campaigns focus on stealing intellectual property and sensitive data, making them one of the most notorious espionage groups to date.
APT10 Threat Actor Profile
Country of Origin
APT10 is widely attributed to China, with multiple reports linking the group's activities to China’s Ministry of State Security (MSS). Attributions have been publicly confirmed by nations such as the United States, the United Kingdom, and Japan.
Members
Specific membership details remain unknown. However, APT10 appears to employ a combination of skilled operators and developers, likely funded by Chinese state interests. The group uses multiple aliases, including MenuPass, Cicada, and Cloud Hopper, highlighting their adaptability and operational scope.
Leadership
No individual leaders of APT10 have been explicitly named in public reports. However, the group is believed to operate as a contractor team under the direction of the Tianjin State Security Bureau, a division of China's MSS.
APT10 TTPs
Tactics
APT10’s primary motivation is cyber espionage, targeting intellectual property, trade secrets, and sensitive government data. Their strategies focus on stealth and persistence, ensuring prolonged access to victim environments for large-scale data theft.
Techniques
APT10 uses spear-phishing emails with malicious attachments as a common entry point into networks. They compromise Managed Service Providers (MSPs) to indirectly access client networks—an approach heavily employed during the “Cloud Hopper” campaign. The group also exploits vulnerabilities in Virtual Private Networks (VPNs) and remote access tools to gain initial or secondary access.
Procedures
Their custom malware arsenal includes tools such as RedLeaves RAT, Quasar RAT, and PlugX, in addition to credential harvesting tools like Mimikatz. Persistence is maintained through methods such as creating admin accounts, scheduled tasks, and DLL side-loading. They exfiltrate data using encrypted communication channels.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Operation Cloud Hopper (2014–2017)
APT10 orchestrated the “Cloud Hopper” campaign, breaching MSPs to access the networks of their clients. This supply-chain compromise affected government agencies, defense contractors, and Fortune 500 companies worldwide.
Healthcare & Pharmaceutical Espionage (2017–2018)
APT10 carried out campaigns targeting U.S. healthcare and pharmaceutical companies, likely aiming to steal research and intellectual property.
Japanese Government & Defense Contractors (2021–2022)
APT10 intensified their focus on Japan, targeting government departments, defense firms, and technology companies to extract sensitive data.
Law Enforcement & Arrests
In December 2018, the U.S. Department of Justice indicted two Chinese nationals associated with APT10 for involvement in widespread hacking activities. The operation was publicly attributed to China’s MSS, with joint statements released by the UK, Japan, and other allies.
How to Defend Against
Detection Opportunities: Monitor for anomalies such as unusual RDP/VPN logins, suspicious scheduled tasks, and activity tied to APT10 malware. Pay attention to supply-chain access patterns.
Mitigations: Apply Multi-Factor Authentication (MFA) on all external access points, enforce least privilege for user accounts, and regularly patch remote access tools. Network segmentation and endpoint monitoring can also help reduce risk. Huntress tools provide proactive defense by identifying and mitigating APT10’s TTPs, ensuring fast response to emerging threats.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
