Hidden Lynx APT

Hidden Lynx is a professional “ hackers for hire ” group that has operated since 2009 and that is believed to be based out of China. Hidden Lynx steals specific information from select targets from a wide range of sectors and governments. The 50-100 member group has proven themselves capable of breaching some of the best defended systems in the world. The adversary can conduct multiple persistent campaigns concurrently against a variety of well defended targets. Hidden Lynx has been associated with 2010 Operation Aurora and the 2012 VOHO campaign.

In the past three years, Hidden Lynx has conducted hundreds of attacks against commercial organizations and governments across the globe. The sectors most targeted are the financial sector, the education sector, and government entities. Within the financial sector, investment banks and asset management agencies are the primary targets. In their 2013 report on the group, Symantec points out that “[t]he absence of certain types of financial institutions, such as those operating as commercial banks, clearly indicates that the attacks are focusing on specific areas.” With less frequency, the group has also targeted stock trading firms and indirectly attacked organizations that supply hardware, secure network communications, and specific services to the financial sector. Overall, the targets share the characteristics of possessing valuable information such as confidential financial data, specific knowledge of potential mergers or acquisitions, or other information that could give the client of the attacker a competitive advantage in the sector or specific knowledge of ongoing negotiations or business deals.

Outside of the financial sector, Hidden Lynx largely targets all levels of government and government contractors. Exfiltrated information from the defense industry sector or from an opposing government could grant a nation state the ability to close a technological gap or the ability to gear intelligence and counterintelligence efforts towards a specific country. Alternately, the information could allow private organizations to spy on competitors or to gain unfair competitive advantage by speculating on government technological research and interest. Microsoft claims that during Operation Aurora Hidden Lynx targeted databases containing court order emails.

Over half of Hidden Lynx attacks target United States organizations, while another quarter of the attacks target organizations in Taiwan or China. The broad range of targets accompanied by the specificity of the information targeted indicates the mercenary nature of the attacker. The information stolen is not processed by the attacker or used for direct financial gain, so it is likely that the information is stolen on behalf of a third party. The stolen information, predominately financial or technological in nature, would be valuable to corporations and nation states alike.

Hidden Lynx targets organizations and government entities in wealthy and technologically advanced countries. Most of the Lynx attacks originate from infrastructure located in China. The group initiates campaigns with a two pronged approach. Hidden Lynx usually infects compromised systems with multiple Trojans, a mass exploitation Trojan (Trojan Moudoor) and a targeted Trojan (Trojan Naid). Each Trojan may be managed by a different team. Trojan Moudoor deploys the Moudoor backdoor, which is a modified version of the “Gh0st RAT” malware. The remote access Trojan is used to control machines in significant campaigns against multiple large companies across several sectors. The Moudoor team must be sizable because the attack vector requires attackers to breach individual targets and to extract valuable and specific data from compromised networks. Trojan Naid is used in limited attacks against valuable targets. Given its limited use and the sophistication of its application, each team behind it is likely a highly skilled special operations team within the overall group. In recent years, Hidden Lynx added the Gresim backdoor, the Fexel backdoor, the Hikit backdoor, and the Derusbi malware to their exploit kit.

The adversary regularly exploits zero-day vulnerabilities, which are purchased, discovered, or reworked from other groups’ attacks. Ultimately, Hidden Lynx is methodical and it tailors its exploit kit in each attack to its victim. Hidden Lynx adapts and it will develop custom tools or perfect new techniques if necessary. Most attacks begin as a watering hole attack or a spear phishing email; however, Hidden Lynx has also been known to attack public facing infrastructure or hack the supply chain in order to distribute their malware.

Type: Cyber Criminal/Cyber Mercenary

Status: Inactive

Other Names: Aurora/ Aurora Panda/ APT 17/ Deputy Dog/ Group 8/ SportsFan/ Operation Ephemeral Hydra

Active Since/Discovered: 2009

Last Report: October 2014

Targets: Most targets in US, others in Taiwan or China

Target Sectors: Government, defense & aerospace, industrial engineering, NGOs, contractors, education, finance


  • WEBCnC
  • Joy RAT
  • PlugX
  • Trojan.Naid
    • more sophisticated than Mourdoor, used infrequently
      • used on high-value targets only
  • Backdoor.Moudoor
    • Modified Gh0st RAT
  • Backdoor.Vasport
  • Backdoor.Boda
  • Trojan.Hydraq
  • ZxShell
  • Sakula
  • China Chopper
  • Gresim
  • Hikit
  • Derusbi
  • Fexel

Preferred Attack Vector:  Watering-hole or spear phishing attack

  • Attacks supply chain or public facing infrastructure to laterally target



  • 50-100 members