APT1

APT1 (Comment Crew / Shanghai Group) – Quick Facts

  • Type: Advanced Persistent Threat (APT)
  • Aliases: Comment Crew, Comment Group, Comment Panda, Unit 61398.
  • Origin: China, linked to PLA Unit 61398
  • Active Since: Mid-2000s
  • Primary Targets: Western corporations, government organizations, defense contractors
  • Motivation: Cyber espionage, intellectual property theft
  • Tactics & Techniques:
    • Spear-phishing emails
    • Custom malware and remote access tools (RATs)
    • Long-term network infiltration for intelligence gathering
  • Notable Campaigns:
    • Exfiltration of corporate data across multiple industries, including aerospace, energy, and technology
  • Significance:
    • One of the first publicly documented APT groups
    • Exposed in Mandiant’s 2013 report, raising global awareness of state-sponsored cyber espionage
  • Attributed Tools & Malware:
    • Malware Samples & More Malware Samples
    • WEBC2 Family:
      • WEBC2-AUSOV
      • WEBC2-ADSPACE
      • WEBC2-BOLID
      • WEBC2-CLOVER
      • WEBC2-CSON
      • WEBC2-DIV
      • WEBC2-GREENCAT
      • WEBC2-HEAD
      • WEBC2-KT3
      • WEBC2-QBP
      • WEBC2-RAVE
      • WEBC2-TABLE
      • WEBC2-TOCK
      • WEBC2-UGX
      • WEBC2-YAHOO
      • WEBC2-Y21K
    • GOGGLES – Downloader used by the group (serves as a payload/secondary-stage downloader).
    • GLASSES – A variant or close relative of GOGGLES; identified in a Citizen Lab analysis and likely an earlier or related implementation.
    • AURIGA / BANGAT – Tools linked to a developer tracked as “SuperHard”; mentioned by Mandiant but not always named in the public report.
    • Email-exfiltration utilities: GETMAIL (used to extract PST files) and MAPIGET (used to read emails that haven’t been archived).
    • Public privilege-escalation tools: examples include cachedump, fgdump, and gsecdump, not unique to APT1 but observed in their operations.
    • HTRAN (HUC Packet Transmit Tool) – used as a hop/proxy relay to forward communications between victims and command-and-control servers, helping to obscure origin and routing.
  • MITRE ATT&CK: https://attack.mitre.org/groups/G0006/

Description

APT1, often called the Comment Crew or PLA Unit 61398, is one of the most infamous and well-documented cyber espionage groups linked to the Chinese government. First brought into the spotlight by Mandiant’s 2013 report, APT1 was among the first hacking units publicly tied to a specific branch of China’s military, the People’s Liberation Army, revealing the true scale of state-backed digital espionage for economic and strategic gain.

Active since at least 2006, APT1 ran one of the most disciplined and long-running hacking operations ever uncovered. Its members focused on stealing intellectual property and confidential business information from hundreds of organizations across industries like aerospace, defense, energy, telecom, and manufacturing – mostly in the United States, but also in Europe and Asia. Everything they took seemed to serve China’s national interests, whether by boosting its industries or informing military and political strategies.

Technically, APT1 was known for its methodical and repeatable playbook. The group broke in through targeted phishing emails and custom malware such as the WEBC2 family (with variants like WEBC2-AUSOV and WEBC2-GREENCAT). Once inside, they established persistence with credential-stealing tools (GETMAIL, MAPIGET, FGDump) and routed stolen data through a vast command-and-control network of more than 1,000 servers and 2,500 domains, often masked with tools like HTRAN to hide their tracks. Their infrastructure and coding style were remarkably consistent, the work of full-time engineers, not lone hackers.

What made APT1 stand out wasn’t just the scale of its operations, but the professionalism behind it. Investigators found evidence of shift-based work hours, organized infrastructure, and shared codebases, all pointing to a state-run, military-grade espionage unit based in Shanghai. The exposure of APT1 changed how the world viewed cyber conflict, proving that digital espionage could be conducted with the same structure and intent as any traditional military campaign.

In many ways, APT1 set the template for the modern nation-state hacking group: large, organized, patient, and focused on long-term strategic advantage rather than chaos or quick profit. Its legacy still shapes how governments and companies think about cybersecurity and geopolitical risk today.

References:

Upload Response

Your data will be stored in the mainframe. Required fields are marked *