Cinnamon Tempest

Active

Also known as: Cinnamon Tempest, DEV-0401, Emperor Dragonfly, BRONZE STARLIGHT

🌍

Other

Active Since

2023

MITRE ID

G1021

Techniques

[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) may be motivated by intellectual property theft or cyberespionage rather than financial gain.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Trend Micro Cheerscrypt May 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)

MITRE ATT&CK Techniques

Recon0

Resource1

T1588.002Tool

Initial1

T1190Exploit Public-Facing Application

Exec4

T1059.001PowerShell

T1059.006Python

T1059.003Windows Command Shell

T1047Windows Management Instrumentation

Persist2

T1574.001DLL

T1543.003Windows Service

PrivEsc0

Defense4

T1140Deobfuscate/Decode Files or Information

T1078.002Domain Accounts

T1484.001Group Policy Modification

T1078Valid Accounts

Creds0

Discovery0

Lateral2

T1021.002SMB/Windows Admin Shares

T1080Taint Shared Content

Collect0

C23

T1105Ingress Tool Transfer

T1572Protocol Tunneling

T1090Proxy

Exfil1

T1567.002Exfiltration to Cloud Storage

Impact1

T1657Financial Theft

Known Victims

live · just now

No victims recorded in ransomware.live for this group.