Picus Security: China's BlackTech APT Group Targets US and Japan
Cybersecurity firm Picus Security has analyzed the BlackTech APT group, a China-linked entity targeting organizations in the US and Japan, as detailed in a CISA alert.

Picus Security has released an analysis of the BlackTech Advanced Persistent Threat (APT) group, which is linked to China and has been observed targeting organizations in the United States and Japan. The group specifically focuses on entities collaborating with the military sectors of these nations, according to a recent advisory from the Cybersecurity and Infrastructure Security Agency (CISA).
BlackTech is known for its capabilities in cyber espionage and the theft of sensitive information. The group has demonstrated proficiency in modifying router firmware within victim networks, deploying backdoors, and moving laterally across networks while evading detection. This persistent, stealthy approach aims to maintain long-term access for data exfiltration.
The analysis by Picus Security details several tools employed by BlackTech, including the BendyBear shellcode loader, the Bifrose backdoor, and the BTSDoor, FakeDead, and FlagPro malware. These tools are frequently updated and utilize sophisticated techniques such as in-memory execution and code obfuscation to circumvent security measures. The group also leverages "Living-off-the-Land" techniques to blend malicious activities with normal system operations.
A particularly concerning tactic highlighted in the report is BlackTech's modification of router firmware. This allows the attackers to establish persistence, disable logging, facilitate lateral movement, and conceal command and control communications, significantly complicating defensive efforts. Picus Security offers platforms to simulate state-sponsored APT attacks, enabling organizations to test and enhance their defenses against sophisticated threats like those posed by BlackTech.