3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
admin338

admin338

ID: 9e0f3027d769d60d57938f8a9b758f3e07649
Cybercrime Cybercriminal Malware Dev
Threat types: Malware, Backdoor, RAT
China
Updated: 2026-01-13
Created: 2025-10-22
Progress: 40% Completeness: 36% Freshness: 50%
Operation zone:
Aliases Limited alias preview
Admin338 G0018 MA******* Te*****
TE**********
Showing 2 of 5 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. Ref: https://attack.mitre.org/groups/G0018/


Technique Technique name Tactics Evidence
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer. · ref
T1069.001 Local Groups TA0007
  • Permission Groups Discovery: Local Groups - admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download · ref
T1087.001 Local Account TA0007
  • Account Discovery: Local Account - admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - admin@338 has sent emails with malicious Microsoft Office documents attached. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.