APT20 associated with Operation Wocao is suspected to be a Chinese-based cyberespioange APT group that targets government entities, managed service providers and a wide variety of industries, including construction and engineering, non-profit organizations, defense, energy, health care and high-tech in 10 different countries, including East Asia, Thailand, and the USA.[1][2][3]

The group is known to be Mimikatz for dumping certificates and keys from Windows certificate store to authenticate to internal services as well as SSH for Lateral Movement.

To evade defenses, the group is known to Install Root Certificate to the local Windows store.

Techniques Used

Domain ID Name Use
Enterprise VT0020 .001 Remote Services: SSH

APT20 is using SSH to laterally move in the victim's network

Enterprise VT0016 .001 Subvert Trust Controls: Install Root Certificate

APT20 install a root certificate on the victim's machine to evade defenses.

Enterprise VT0017 .004 Unsecured Credentials: Private Keys

APT20 uses tools like Mimikatz to dump credentials and keys from the victim's machine

Enterprise VT0005 Valid Accounts

APT20 uses valid credentials and key to login to remote services, such as SSH, and laterally move among its victims


ID Name References Techniques
VS0004 Mimikatz APT20 uses Mimikatz to extract keys and credentials from victim machines to preform lateral movement Account Manipulation, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Unsecured Credentials: Private Keys



Associated Groups
Violin Panda

Created: 02 May 2021

Last Modified: 03 May 2021