Cyber Resilience

Threat actor · all actors

Cinnamon TempestG1021 state

🇨🇳 CN

aka Cinnamon Tempest, DEV-0401, Emperor Dragonfly, BRONZE STARLIGHT, SLIME34

Last updated: 2026-07-03

1attributed CVEs
26ATT&CK techniques
4.3IDF score (tooling uniqueness)
1exclusive CVEs
2023years active

About this actor

[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) may be motivated by intellectual property theft or cyberespionage rather than financial gain.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Trend Micro Cheerscrypt May 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)

Source: MITRE ATT&CK

Activity timeline

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2021-4428 8.02.70.68622023-07-18see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-419 / 2673%
AC-318 / 2669%
CM-617 / 2665%
AC-616 / 2662%
CM-216 / 2662%
AC-215 / 2658%
CM-714 / 2654%
SI-314 / 2654%
AC-513 / 2650%
CM-513 / 2650%
IA-212 / 2646%
CA-711 / 2642%
SI-1011 / 2642%
SI-710 / 2638%
AC-49 / 2635%

Co-occurring actors

None.

Similar actors

Active in same years

Same nation-state