Ke3chang (also tracked as APT15, Vixen Panda, Playful Dragon, Royal APT, Mirage, Bronze Palace, NICKEL, Nylon Typhoon [Microsoft renamed April 2023], and MITRE ATT&CK G0004) is a suspected China-aligned cyber-espionage cluster active since at least 2010 , one of the longest-running publicly-tracked China-aligned clusters in the public record, with operational lineage tracing to the seminal Mandiant / FireEye December 2013 disclosure "Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs." The cluster is widely assessed by vendor research consensus to operate in alignment with Chinese state intelligence interests, most commonly framed as MSS (Ministry of State Security) tasking. The specific MSS bureau has not been formally established, unlike APT1 (PLA Unit 61398), APT3 (MSS Guangdong / Boyusec), APT10 (MSS Tianjin), APT31 (MSS Hubei / Wuhan XRZ), APT41 (MSS / Chengdu 404), and RedFoxtrot (PLA Unit 69010) which carry bureau-or-unit-level formal attribution. The cluster's most operationally consequential formal-action event is Microsoft's December 6, 2021 NICKEL action: Microsoft Digital Crimes Unit secured a federal court order in the Eastern District of Virginia granting Microsoft control over 42 attacker- controlled websites used by NICKEL to attack victims in twenty- nine countries' diplomatic, foreign-affairs, and government entities. The action represented the largest single seizure of NICKEL infrastructure on public record and Microsoft's filing documented sustained operations against ministries of foreign affairs, missions to the United Nations, and embassies primarily in Latin America (Mexico, Honduras, El Salvador, Guatemala, Brazil, Panama, Colombia, Venezuela, Ecuador, Peru, Bolivia, Chile, Argentina, Uruguay) alongside European and North American targets. While the Microsoft action did not constitute formal US-government attribution to a specific MSS bureau, it represented the highest-tier non-government public action against the cluster. Two defining victim signatures distinguish Ke3chang from peer publicly-tracked China-aligned clusters: First, sustained diplomatic / foreign-affairs / ministry-of- foreign-affairs targeting across more than a decade, the original December 2013 Mandiant disclosure documented Ke3chang operations conducted in the lead-up to the 2013 G20 summit with spear- phishing campaigns targeting European MoFA personnel using summit-related lures, and the summit-event-anchored targeting pattern has continued across multiple subsequent summits as a cluster signature aligning operational tempo with diplomatic- calendar events. European MoFA targeting has been continuous across the entire 2010-2024 publicly-tracked operational lifespan. Second, sustained Latin American and Caribbean diplomatic targeting, few publicly-tracked China-aligned clusters focus on Latin American diplomatic targets at Ke3chang's level of sustained operations. The regional focus is one of the most distinctive cluster signatures and reflects sustained PRC strategic interest in Latin American diplomatic-and-political collection consistent with broader PRC commercial-and-political investment in the region across the same period. Victim countries documented across multiple years include Mexico, Guatemala, Honduras, El Salvador, Costa Rica, Panama, Colombia, Venezuela, Ecuador, Peru, Chile, Argentina, Uruguay, Brazil, Dominican Republic, Barbados, Trinidad and Tobago, Cuba, Bolivia, and Haiti. Operationally Ke3chang's toolkit is comparatively diverse for a China-aligned cluster, reflecting continued capability development across more than a decade. Signature implants include BS2005 / Mirage (the original Mandiant 2013 disclosure implant), Ketrican (one of the cluster's central modern Windows backdoors with continued evolution), Okrum (newer backdoor disclosed by ESET in 2019), RoyalCli (NCC Group March 2018 disclosure), RoyalDNS (NCC Group March 2018 disclosure, DNS- tunneling-and-DNS-based-C2 tradecraft signature comparatively unusual among publicly-tracked clusters), DnsBinder, MyDoom variants, SysUpdate, Planetex, Tidepool, and EhDoor. RoyalCli and RoyalDNS deserve particular operational note. The DNS-tunneling and DNS-based-C2 tradecraft signature provides plausible egress traffic via the DNS protocol, a protocol that most network-monitoring controls treat with reduced scrutiny, and complicates network detection against traditional egress- monitoring controls. DNS-based-C2 tradecraft is increasingly common among state-aligned clusters but Ke3chang was an early adopter.
NCC Group's March 2018 disclosure documented the tradecraft when it was still unusual. Initial-access tradecraft is predominantly spear-phishing with weaponized Office documents (CVE-2010-3333, CVE-2012-0158, CVE-2014-1761, CVE-2014-4114 Sandworm, CVE-2015-2545, CVE-2017-0199, CVE-2017-11882, CVE-2018-0798, CVE-2018-0802, CVE-2018-20250 WinRAR) followed by Ketrican or Okrum implant deployment. The cluster has not consistently demonstrated 0day- development capability and primarily relies on rapid weaponization of disclosed n-day vulnerabilities alongside diplomatic-event- themed social-engineering tradecraft. A handful of operational notes: First, the cluster's substantial vendor-naming proliferation (Ke3chang / APT15 / Vixen Panda / Playful Dragon / Royal APT / Mirage / Bronze Palace / NICKEL / Nylon Typhoon) reflects more than a decade of fragmented vendor tracking. Modern reporting should default to "Ke3chang" as the original Mandiant naming and the MITRE-canonical name, with "Nylon Typhoon" being the current Microsoft-canonical name post-April-2023 rename. Second, the cluster's continued operations through 2022-2025 despite the December 2021 Microsoft action illustrate (consistent with the Star Blizzard, Sandworm, Pioneer Kitten, and Cadet Blizzard patterns in this corpus) that formal or major-vendor- action events do not necessarily produce operational pauses for state-aligned clusters. Third, attribution to MSS specifically, though dominant in vendor reporting, has not been confirmed by formal US, UK, or EU government attribution. Treat the MSS-tasking framing as suspected at the bureau level even though the broader China- aligned framing is high-confidence by vendor-research-consensus standards. Fourth, the cluster's Latin American victim focus is operationally uncommon among publicly-tracked China-aligned clusters and represents a meaningful gap in defender threat-modeling for Latin American diplomatic and government entities, most regional- defender threat-modeling underweights China-aligned cluster activity in favor of higher-volume cyber-criminal and financially- motivated cluster activity. Ke3chang's sustained Latin American diplomatic targeting deserves continued analytical attention from regional defenders.