3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
TA459

TA459

ID: 63e4b99889b8b3794de1b6b9d211aed672071
Cybercrime State-Sponsored
Threat types: Intrusion, Phishing, Malware
Unknown UNKNOWN
Updated: 2026-01-26
Created: 2025-10-22
Progress: 61% Completeness: 57% Freshness: 70%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

TA459 (MITRE G0062) is a China-nexus espionage actor that in April 2017 spearphished financial analysts in Russia and neighboring countries using CVE-2017-0199 to stage ZeroT and deploy PlugX; associated tooling also included NetTraveler and PCrat/Gh0st.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2017-04-27 — Spearphishing Word attachments sent to financial analysts in Russia and neighboring countries. · ref
T1203 Exploitation for Client Execution TA0002
  • 2017-04-27 — Exploitation of Microsoft Word CVE-2017-0199 for client-side execution leading to HTA/VBScript. · ref
T1059.005 Visual Basic TA0002
  • 2018-04-18 — TA459 documented using VBScript for execution. · ref
T1059.001 PowerShell TA0002
  • 2018-04-18 — TA459 documented using PowerShell to execute payloads. · ref
  • 2017-04-27 — Campaign HTA used PowerShell to download and run ZeroT. · ref
T1204.002 Malicious File TA0002
  • 2018-04-18 — User execution of malicious files is part of TA459 delivery. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-27T23:36:31+00:00
TA459 — China-nexus espionage actor targeting financial analysts and regional governments

CLASSIFICATION: Unclassified / Open Source

Category: Nation-state (cyber espionage) — Origin: China (assessed)


Executive Summary

TA459 (MITRE G0062) is a cyber-espionage activity cluster assessed to operate from China, active in at least 2015–2017 and beyond, with targeting observed against Russia, Belarus, Mongolia, Central Asia and neighboring regions. In April 2017, Proofpoint documented a focused campaign against financial analysts at major firms in Russia and nearby countries using CVE-2017-0199 in Microsoft Word to stage the ZeroT loader and subsequently deploy the PlugX RAT. TA459 tradecraft includes spearphishing attachments, VBScript and PowerShell-based staging, and client-side exploitation for execution. Secondary payloads historically included PlugX, NetTraveler, and PCrat/Gh0st, with command-and-control over HTTP(S) and DNS. The group’s targeting of analysts covering the telecommunications sector indicates a collection priority on regional communications and economic intelligence. INFERENCE (confidence: medium). Overall confidence in actor characterization is high for 2017 activity and TTPs (Proofpoint, MITRE), with medium confidence for current activity scope.


  • Industries/Sectors: Financial services (sell-side/buy-side analysts), government and defense/military organizations; telecom-adjacent analyst coverage.
  • Geography (Region): Central and Northeast Asia; Eastern Europe.
  • Countries (if available): Russia, Belarus, Mongolia (plus others in Central Asia).
  • Timeframe: Publicly reported operations at least 2015–2017; profile maintained/updated by MITRE as of 2025-04-25.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO

What: TA459 (MITRE G0062) is a China-nexus espionage actor that spearphished financial analysts in Russia and neighbors using CVE-2017-0199 Word documents to stage ZeroT and deploy PlugX; tooling also included NetTraveler and PCrat/Gh0st.

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook (selected rules)

Hunt 1 — Office → Script → PowerShell chain

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2025-11-25T20:46:00+00:00

IOC Appendix (TLP:WHITE)

Concrete indicators from 2017 TA459 reporting (validate freshness before enforcement).

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.