VERY IMPORTANT

The Ke3chang group, also known as APT15, is an alleged Chinese government-backed cluster of teams known to target various high-profile entities spanning multiple continents. In mid May, we identified three recently uploaded samples from VirusTotal that share code with older APT15 implants. We named this new family of samples, “Ketrum”, due to the merger of features in the documented backdoor families “Ketrican” and “Okrum”. We believe the operation was conducted very recently. Below we present a technical analysis of these samples and explain the evolution of APT15’s codebase over the last year.