Names	CeranaKeeper (ESET)
Country	China China
Sponsor	State-sponsored
Motivation	Information theft and espionage
First seen	2022
Description	(ESET) CeranaKeeper has been active since at least the beginning of 2022, mainly targeting governmental entities in Asian countries such as Thailand, Myanmar, the Philippines, Japan, and Taiwan; we believe it is aligned with China’s interests. The group’s relentless hunt for data is remarkable, with its attackers deploying a wide array of tools aimed at extracting as much information as possible from compromised networks. In the operation we analyzed, the group turned compromised machines into update servers, devised a novel technique using GitHub’s pull request and issue comment features to create a stealthy reverse shell, and deployed single-use harvesting components when collecting entire file trees.

CeranaKeeper seems to reuse tools from Mustang Panda, Bronze President.
Observed	Sectors: Government.
Countries: Japan, Myanmar, Philippines, Taiwan, Thailand.
Tools used	PUBLOAD, TONEINS, TONESHELL.
Operations performed	2023	Separating the bee from the panda: CeranaKeeper making a beeline for Thailand
<https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/>
Information	<https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2023-q1-2024.pdf>
Last change to this card: 24 October 2024