BRONZE MOHAWK

BRONZE MOHAWK has targeted legal, defense and academic organizations in the South China Sea, South Korea, Europe and the U.S. since 2013. The group uses phishing emails with weaponized attachments, typically dropping and executing Javascript that is then used to deploy malware such as Cobalt Strike. CTU researchers have also observed BRONZE MOHAWK setting up spoofed defense contractor websites as part of its operations. The group’s intent appears to be targeting of military and political intelligence in areas that align with Chinese strategic interests, such as maritime military technology development and political entities in the South China Sea. In January 2020, the Intrusion Truth blog linked BRONZE MOHAWK to a company called Hainan Xiandun Technology, which Intrusion Truth claims is directed by the Hainan department of the Chinese Ministry of State Security.