Menu
Browse

Cyber Threat Actor: Wild Neutron

Aliases: 4 aliases
Actor Type Location Known Incidents
 Icon
Spy
China
1 incident
Profile

Wild Neutron,also tracked as Neutron, Morpho and Butterfly, is a hacking group that has been observed since at least 2013. The group is associated with the aliases Wild Neutron, Neutron, Morpho and Butterfly in public reporting. Analysts have noted that the group’s origin is linked to China, though this is not confirmed with certainty. It is described as a highly sophisticated and persistent actor capable of breaching well‑protected corporate environments. The group remains active according to security researchers who monitor its activity.

Wild Neutron’s known intrusions have focused on large technology companies, including Microsoft, Apple, Facebook and Twitter. The victims were targeted for access to internal systems that store sensitive information such as software vulnerability databases. Reporting indicates that the group sought collections of unfixed flaw details, which are valued by government spies for developing offensive tools. The group’s activity therefore involved acquiring data that is described as useful for offensive cyber operations. The geographic scope of the observed victims points to the United States, although the group’s reach may extend beyond that region.

The initial access vector used by Wild Neutron in the Microsoft incident was a vulnerability in the Java programming language that allowed execution on Apple Macintosh computers. After gaining a foothold on a Mac, the attackers moved laterally within the victim’s corporate network to reach deeper assets. No specific malware families are named in the public descriptions of their activity. Their tooling style appears to rely on exploiting widely used software flaws to gain entry and then employing native administrative tools for movement.

The most publicly documented operation attributed to Wild Neutron is the February 2013 breach of Microsoft’s internal database that tracks unfixed software vulnerabilities. In the same timeframe the group reportedly compromised systems at Apple, Facebook and Twitter using similar Java‑based techniques. The Microsoft breach remained undisclosed by the company until former employees revealed details years later, after which Microsoft improved network segmentation and added multi‑factor authentication for the database. Despite the lack of public attribution to a state sponsor, researchers consider Wild Neutron to be one of the most proficient and mysterious active hacking groups. The group’s activity has continued after 2013, though specific later campaigns have not been detailed in the available sources.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source