3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Cinnamon Tempest

Cinnamon Tempest

ID: ca33e5d87571c50773a94c774823a34264554
Cybercrime State-Sponsored
Threat types: Ransomware, Intrusion, Data Leak
China UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 49% Completeness: 48% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
BRONZE STARLIGHT DEV-0401 Em***************
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Cinnamon Tempest — China-nexus cluster using short-lived ransomware brands (LockFile/Rook/Night Sky/Pandora) with HUI Loader + Cobalt Strike; likely blends financial pressure with broader objectives.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2021–2025 — Exploitation of internet-facing applications for rapid footholds. · ref
T1105 Ingress Tool Transfer TA0011
  • 2021–2025 — Use of HUI Loader to stage Cobalt Strike and other payloads over C2. · ref
T1486 Data Encrypted for Impact TA0040
  • 2021–2025 — Deployment of multiple ransomware families for impact. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2021–2025 — Use of valid accounts for persistence/lateral movement noted across case studies (assessed). · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2021–2025 — Data exfiltration accompanying ransomware-front operations in select incidents (assessed). · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T01:06:55+00:00
Cinnamon Tempest (DEV-0401 / BRONZE STARLIGHT / Emperor Dragonfly) — Ransomware-Front Operations (G1021)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Cinnamon Tempest (a.k.a. DEV-0401, BRONZE STARLIGHT, Emperor Dragonfly) is a China-nexus cluster associated with a carousel of short-lived ransomware brands (e.g., LockFile, Rook, Night Sky, Pandora) likely used as operational cover for broader objectives. Reporting highlights HUI Loader + Cobalt Strike tradecraft, rapid edge exploitation, and opportunistic intrusions that may blend financial leverage with intelligence priorities. Confidence: high


Contractor-linked characteristics; overlaps in tooling (HUI Loader/ShadowPad lineage) with other China-nexus clusters. Campaigns are bursty, with visible rebrands and limited persistence in some cases.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.