Menu
Browse

Cyber Threat Actor: Tick

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
6 incidents
Profile

Bronze Butler, also known as Tick, is a threat actor that has been publicly linked to China-based operations. The group is recognized by security researchers under these two aliases and is described as suspected state‑linked. Its activity has been observed over several years, with a focus on entities that possess sensitive governmental or defense‑related information. The actor’s origin is noted as China, although no further geographic detail is provided in the source material.

The actor’s targeting has consistently involved defense contractors, aerospace firms, and technology companies located in Japan, France, and South Korea. Observed objectives appear to be espionage‑oriented, as intrusions have resulted in the theft of client data, source code for security products, and defense‑adjacent documents. There is no public indication that the group seeks financial gain or aims to cause disruptive effects beyond data exfiltration. The strategic focus aligns with gathering intellectual property and classified‑sensitive material from sectors that support national infrastructure.

Typical tactics include spearphishing emails, the use of zero‑day exploits, and the deployment of custom malware such as SymonLoader. The group has also weaponized secure USB drives certified under national security guidelines to breach air‑gapped systems, employing trojanized legitimate software to deliver payloads. Log deletion is frequently mentioned as a method to obscure activity after intrusion. Notable campaigns referenced in the source material involve the 2012 attack on a South Korean defense contractor via compromised USB drives, a series of breaches against Japanese defense contractors including Kobe Steel, Pasco, Mitsubishi Electric, and NEC between 2015 and 2021, and the 2021 intrusion into the French cybersecurity firm Stormshield where source code for a government‑certified firewall was exfiltrated. These incidents collectively illustrate the actor’s persistent focus on high‑value targets using a blend of social engineering, exploit‑based access, and stealthy post‑compromise behavior.

Incidents
Attributed incidents available to members
6 incidents
Sources
Sources available to members
75 sources