TI News Feed · Threat Intelligence Guides

APT10 / menuPass (Stone Panda): Threat Actor Profile

APT10 (menuPass, Stone Panda) industrialized managed-service-provider compromise with the Cloud Hopper campaign — breaching IT providers to reach their downstream clients at scale. A full nation-state profile.

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

APT10, which MITRE tracks as menuPass, belongs on this list because it industrialized managed-service-provider (MSP) compromise for espionage: the 'Cloud Hopper' logic of breaching service providers to reach many downstream victims at once.

APT10: at a glance

  • Aliases: menuPass, Stone Panda, Cicada, POTASSIUM, Red Apollo, CVNX, HOGFISH, BRONZE RIVERSIDE
  • Country / affiliation: China — MSS Tianjin State Security Bureau (per U.S. allegations)
  • Assessed status (as of July 2026): Active umbrella
  • Primary objectives: Economic espionage, MSP supply-chain access, and broad sector intelligence theft
  • Financial destruction / gain: No clean public dollar total; value is stolen IP and data across 45+ technology companies rather than monetized ransom
  • Type: Nation-state APT (economic espionage)

Who is APT10?

MITRE says menuPass has been active since at least 2006, ties the group to China's MSS Tianjin State Security Bureau in public U.S. allegations, and documents targeting across healthcare, aerospace, finance, energy, government, MSPs, manufacturing, and universities. The group's strategic impact is significant even though a public dollar loss estimate is not.

Aliases and attribution

APT10 is tracked as menuPass, Stone Panda (Kaspersky), Cicada, Red Apollo, and BRONZE RIVERSIDE. U.S. indictments tied members to the MSS Tianjin State Security Bureau and the front company Huaying Haitai. Its supply-chain attack model — compromising trusted IT providers — makes downstream cyber attribution especially hard, since intrusions arrive through legitimate provider connections.

Financial impact and damage

There is no clean dollar figure; APT10's value is stolen intellectual property and data. The DOJ says APT10 targeted MSPs and 45+ technology companies over more than a decade. The Cloud Hopper campaign's blueprint — 'hack the provider to reach everyone' — reshaped how the world thinks about third-party and supply-chain attack risk, influencing defensive strategy far beyond its direct victims.

APT10 timeline

  • 2006: Group becomes active
  • 2016-2017: MSP targeting / Cloud Hopper campaign era
  • 2018: U.S. indictment of alleged members tied to the MSS
  • 2026: ATT&CK still tracks an active umbrella of continuing tradecraft

Notable attacks and campaigns

Operation Cloud Hopper (2016–2017) compromised major managed service providers to reach their clients' networks worldwide — a pioneering supply-chain attack espionage model. APT10 has used Pulse Secure VPN exploits, DLL side-loading of tools like Mimikatz and UPPERCUT, and encrypted multipart archives to exfiltrate stolen intellectual property.

Tactics, techniques, and procedures (TTPs)

The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.

  • T1087.002 — Domain Account Discovery: menuPass used csvde.exe to export Active Directory data. Alert on AD-export tools run outside approved admin workflows.
  • T1190 — Exploit Public-Facing Application: menuPass leveraged Pulse Secure VPN vulnerabilities to hijack sessions. Patch VPNs aggressively and monitor for session-hijack indicators.
  • T1574.001 — DLL Side-Loading: menuPass side-loads Mimikatz, PwDump6, and UPPERCUT. Watch for signed binaries loading unexpected DLLs from writable directories.

Detection and defense against APT10

APT10's whole model is reaching you through your IT provider, so third-party assurance and VPN hardening are central:

  • Vet and monitor MSP and third-party provider connections; enforce least privilege on their access.
  • Patch VPNs (e.g., Pulse Secure) aggressively and monitor for session-hijack indicators.
  • Watch for signed binaries side-loading unexpected DLLs from writable directories.
  • Alert on AD-export tools (csvde.exe) run outside approved admin workflows.
  • Detect creation of large multipart archives in unusual locations like the Recycle Bin.

The bottom line

APT10 wrote the blueprint for supply-chain espionage — 'hack the provider to reach everyone' — and its Cloud Hopper campaign permanently changed how the world assesses third-party risk. See how APT10 ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

Who is APT10?

APT10 is a Chinese state-sponsored espionage group, tracked by MITRE as menuPass and also known as Stone Panda and Red Apollo. U.S. indictments tie it to the MSS Tianjin State Security Bureau.

What was Operation Cloud Hopper?

Cloud Hopper was APT10's 2016-2017 campaign compromising managed service providers to reach their downstream clients' networks worldwide — a pioneering supply-chain espionage model.

What is APT10's objective?

Economic espionage and intellectual-property theft. APT10 targets MSPs and technology, aerospace, healthcare, and government sectors to steal data rather than for financial ransom.

Is APT10 still active?

MITRE continues to track menuPass as an active umbrella of continuing tradecraft, though its public signal is lower than during the Cloud Hopper era.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources: