3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
menuPass

menuPass

ID: 8e61b13cfeacd956a9bd72dd9d89c43d79691
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Data Theft
China
Updated: 2026-01-13
Created: 2025-10-20
Progress: 49% Completeness: 48% Freshness: 50%
Operation zone:
Aliases Limited alias preview
APT-10 APT10 BR************** C*****
C*** HO***** PO******* Re********
Re******* St*********
Showing 2 of 10 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

menuPass (APT10) — China-linked espionage group behind Operation Cloud Hopper, compromising MSPs and their customers to steal IP and sensitive data via phishing, trusted-relationship abuse, valid accounts, and HTTP/HTTPS exfiltration.


Technique Technique name Tactics Evidence
T1199 Trusted Relationship TA0001
  • 2016–2017 — Operation Cloud Hopper targeted Managed Service Providers to pivot into downstream customer networks. · ref
T1566 Phishing TA0001
  • 2016–2018 — Spearphishing used to gain initial access to MSPs and victim tenants. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2016–2018 — Use of stolen valid credentials for persistence and lateral movement across MSP and client environments. · ref
T1560.001 Archive via Utility TA0009
  • 2016–2017 — RAR/WinRAR used to archive data prior to exfiltration. · ref
T1105 Ingress Tool Transfer TA0011
  • 2016–2017 — Ingress of backdoors (e.g., ChChes, RedLeaves, PlugX/Poison Ivy) over HTTP/HTTPS C2. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2016–2017 — Exfiltration of archives over web protocols from MSP and customer networks. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T20:16:44+00:00
menuPass (APT10) — China-Linked Espionage Targeting MSP Supply Chains (G0045)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

menuPass (aka APT10 / Stone Panda / Red Apollo / BRONZE RIVERSIDE / Cicada / HOGFISH / CVNX / POTASSIUM) is a China-linked espionage group active since at least 2006 and widely associated with the Operation Cloud Hopper campaign against managed service providers (MSPs) and their downstream customers. Public reporting and a 2018 U.S. indictment describe a years-long global theft of intellectual property and sensitive data, with operators assessed to have worked in association with the MSS Tianjin State Security Bureau. Tradecraft blends spearphishing, MSP/trusted relationship abuse, valid-account reuse, and a rotating toolset (e.g., RedLeaves, ChChes, PlugX, Poison Ivy, QuasarRAT) with RAR/WinRAR staging for exfiltration over HTTP/HTTPS C2. Capability: high for access and scale, medium for stealth; Confidence: high (ATT&CK, PwC/BAE Cloud Hopper, DOJ/FBI). Federal Bureau of Investigation

Analysts characterize menuPass as state-directed or state-supported; multiple government and private reports align on a PRC nexus and the group’s alignment with strategic economic intelligence priorities. MITRE lists extensive aliases reflecting vendor taxonomy differences.


Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.