Also known as: Codoso Team
Suspected attribution: China
Target sectors: Legal and investment
Overview: A group likely composed of freelancers, with some degree of sponsorship by the Chinese government.
Associated malware: BEACON, COBALTSTRIKE
Attack vectors: In 2017, APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one observed phishing lure delivered a Cobalt Strike payload.
![World political](https://www.fireeye.com/content/fireeye-www/en_US/current-threats/apt-groups/_jcr_content/content-par/grid_66_33_full_1780252457/grid-33-right/image_854885653.img.png/1513636487736.png)