Anomali Uncovers Chinese APT Shared Supply Chain

Threat Actors Developing, Selling Exploits Used in Commodity Malware Campaigns

REDWOOD CITY, Calif., July 03, 2019 (GLOBE NEWSWIRE) -- Anomali, a leader in threat intelligence, today published its latest cyber threat intelligence research blog. As part of its ongoing Royal Road Weaponizer analysis, the Anomali Threat Research Team confirmed that specific Chinese Advanced Persistent Threats (APTs) are sharing a supply chain for exploits in Microsoft Office products. Key evidence observed confirming this belief includes an observation showing that the threat actors all updated their weaponizers to use a new exploit on or around the same time.

Observations also indicate that the threat actors may have the ability to develop exploits on their own. Evidence observed further shows that after using them, they may be selling them to a wider range of groups, as these are now appearing in commodity-malware campaigns.

“When we began this research, our focus on the malicious RTF weaponizer and groups using them led us to suspect that these APTs, which typically work in silos, were collaborating or sharing the same supply chain. We realized that this is the case after observing that all of the groups updated their weaponizers to use new exploits at almost the same time,” said Ghareeb Saad of the Anomali Threat Research Team. “This observation is significant. It shows that these threat actors have exploit developing capabilities and are operating together. Such a move could help them to become more efficient and effective.”

Detailed findings are revealed in the blog: Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018. It details activities and exploits shared among five Chinese groups: Conimes, KeyBoy, Emissary Panda, Rancor, and Temp.Trident.


About Anomali
Anomali® detects adversaries and tells you who they are. Organizations rely on the Anomali Threat Platform to detect threats, understand adversaries, and respond effectively. Anomali arms security teams with machine learning optimized threat intelligence and identifies hidden threats targeting their environments. The platform enables organizations to collaborate and share threat information among trusted communities and is the most widely adopted platform for ISACs and leading enterprises worldwide. For more information, visit us at

Joe Franscella
News Media Relations