We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

China-Linked APT15 Targets Agencies With Graphican Malware

China-Linked APT15 Targets Agencies With Graphican Malware
Author Image Husain Parvez
Husain Parvez Published on 25th June 2023 Cybersecurity Researcher

According to a Symantec Threat Hunter Team report, a highly sophisticated hacking group known as APT 15 (or Flea) has been engaged in a series of targeted attacks against foreign affairs ministries across North and South America. Their weapon of choice is a newly discovered backdoor named Graphican.

The campaign, which took place between late 2022 and early 2023, extended its reach beyond government entities. The hackers also set their sights on a government finance department in an undisclosed country and a corporation that operates in Central and South America. Additionally, the report mentions a single victim located in a European country, suggesting that Flea's activities reach other continents too.

Symantec said in the report that “Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican’s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.” However, Graphican distinguishes itself by utilizing the Microsoft Graph API to establish connections with OneDrive, enabling the retrieval of C&C information.

As reported by SecurityWeek, Graphican can generate an interactive command line, create and download files, and initiate hidden window processes. Throughout the campaign, Symantec observed APT15 employing different versions of Ketrican, each featuring a hardcoded C&C server and only implementing a subset of the commands mentioned above.

In addition to Graphican and Ketrican, APT15 employed various other tools during these attacks. They include the Ewstew backdoor, web shells, as well as publicly available tools like Mimikatz, Pypykatz, Safetykatz, Lazagne, Quarks PwDump, SharpSecDump, K8Tools, and EHole.

Symantec has stated that the primary objective of the APT15 group appears to be establishing long-term access to the networks of their targeted victims to gather intelligence. The focus of their attacks in this particular campaign, foreign affairs ministries, strongly indicates a probable geopolitical motive behind their actions.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.