Threat actor · all actors
Ke3changG0004 state
🇨🇳 CN
aka Ke3chang, APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL, Nylon Typhoon, Metushy, Lurid, Social Network Team, Royal APT, BRONZE PALACE, BRONZE DAVENPORT, BRONZE IDLEWOOD, G0004, Red Vulture
Last updated: 2026-07-03
About this actor
[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-21236 | 5.5 | 7.8 | 0.0042 | 2026-02-10 | see CVE |
T1003T1003.001T1003.002T1003.003T1003.004T1005T1007T1016T1018T1020T1021T1021.002T1027T1033T1036T1036.002T1036.005T1041T1049T1056T1056.001T1057T1059T1059.003T1069T1069.002T1071T1071.001T1071.004T1078T1078.004T1082T1083T1087T1087.001T1087.002T1105T1114T1114.002T1119T1133T1140T1190T1213T1213.002T1543T1543.003T1547T1547.001T1558T1558.001T1560T1560.001T1569T1569.002T1583T1583.005T1587T1587.001T1588T1588.002T1614T1614.001
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 36 / 63 | 57% |
CM-6 | 33 / 63 | 52% |
CM-2 | 30 / 63 | 48% |
AC-3 | 29 / 63 | 46% |
AC-2 | 25 / 63 | 40% |
AC-6 | 25 / 63 | 40% |
CM-7 | 25 / 63 | 40% |
CA-7 | 23 / 63 | 37% |
SI-3 | 23 / 63 | 37% |
IA-2 | 22 / 63 | 35% |
AC-5 | 19 / 63 | 30% |
CM-5 | 19 / 63 | 30% |
SI-7 | 18 / 63 | 29% |
AC-4 | 14 / 63 | 22% |
IA-5 | 13 / 63 | 21% |
Co-occurring actors
- TA505 1 shared CVEs
- Threat Group-3390 1 shared CVEs
Similar actors
Similar TTPs
- Operation CuckooBees 0.41
- Chimera 0.36
- Operation Wocao 0.35
- FIN13 0.34
- MirrorFace 0.32
Overlapping CVEs
- TA505 1.00
- Threat Group-3390 0.20
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- APT12 1.00
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- C0017 1.00
- Cutting Edge 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00