BRONZE MEDLEY

In early 2021 BRONZE MEDLEY was observed exploiting Microsoft Exchange Servers as an initial infection vector to deploy the Whitebird remote access trojan against targets in Middle East and South America. Third party reporting suggests the threat group has been active since at least 2016 and targets government and private enterprises globally including in Brazil, Russia, India, Kazakhstan, Thailand, and Turkey.

PlugX and Whitebird remote access trojans are key malware families used by BRONZE MEDLEY and have been linked to its command and control infrastructure across multiple campaigns. The consistency in tactics, techniques and procedures (TTPs) post-compromise across multiple campaigns also suggests the threat group has a standard playbook for network intrusions.

CTU researchers assess with moderate confidence that BRONZE MEDLEY operates on behalf of China and has a primary remit for espionage against foreign governments.