3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
BlackTech

BlackTech

ID: 6b724ee1b37c90d02cc7239ed8153f4216021
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Supply Chain
China UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
Palmerworm
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks. Ref: https://attack.mitre.org/groups/G0098/


Technique Technique name Tactics Evidence
T1021.004 SSH TA0008
  • Remote Services: SSH - BlackTech has used Putty for remote access. · ref
T1036.002 Right-to-Left Override TA0005
  • Masquerading: Right-to-Left Override - BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - BlackTech has used e-mails with malicious links to lure victims into installing malware. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - BlackTech has used e-mails with malicious documents to lure victims into installing malware. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - BlackTech has used spearphishing e-mails with links to cloud services to deliver malware. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • Hijack Execution Flow: DLL - BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations. · ref
T1588.003 Code Signing Certificates TA0042
  • Obtain Capabilities: Code Signing Certificates - BlackTech has used stolen code-signing certificates for its malicious payloads. · ref
T1588.004 Digital Certificates TA0042
  • Obtain Capabilities: Digital Certificates - BlackTech has used valid, stolen digital certificates for some of their malware and tools. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.