Nation-State high China (PRC)

APT10

Chinese state-sponsored (MSS) · Economic espionage / intellectual property theft

Reports 1

Active Since 2009

Last Reported 21 May 2026

Sectors Targeted government, legal-professional, critical-infrastructure

Tactics, Techniques & Procedures (TTPs)

MSP supply chain compromise (Operation Cloud Hopper)
Spear-phishing delivering PlugX and QuasarRAT
ANEL and RedLeaves custom backdoors
RMM platform abuse (ConnectWise, TeamViewer, N-able)
Cloud management plane targeting for delegated admin access
Long-duration persistence across client environments

Known Targets

Managed service providersAerospace and defence firmsPharmaceutical and biotech companiesGovernment agenciesProfessional services (law, accountancy, consulting)Technology companies

Analyst Notes

Attributed by the UK government (FCDO) and Five Eyes partners in December 2018. Operation Cloud Hopper compromised managed service providers to access tens of client environments simultaneously across 12+ countries, affecting at least 45 organisations. Current activity adapts the Cloud Hopper methodology to cloud-delivered managed services and delegated admin credentials.

Also Known As

Stone PandaMenuPassPOTASSIUMCicadaBronze Riverside

MITRE ATT&CK Techniques

T1199 Trusted Relationship T1078 Valid Accounts T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer T1071 Application Layer Protocol

Intelligence Reports

Briefing governmentlegal-professional

APT10 Renews MSP Targeting in UK and Europe — Cloud Hopper Techniques Persist

China's APT10 has resumed systematic targeting of UK managed service providers and professional services firms, using the same supply chain pivot techniques that characterised the Cloud Hopper campaign — now adapted for cloud-managed tenants.

21 May 2026 · 5 min read