Deep Panda (G0009) Threat Actor Profile: A Persistent Chinese Espionage Group
- Suspected Origin
- China
- Motivation
- Espionage, Information Theft, Credential Harvesting, Financial Gain
- Aliases
- Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine
- Target Sectors
- Government, Defense, Financial, Telecommunications, Healthcare, Technology, Energy, Pharmaceutical, Education, Legal, Manufacturing, Think Tanks
- Associated Malware
- C0d0so0, Cobalt Strike, Derusbi, EmpireProject, Fire Chili, Infoadmin RAT (Milestone), MadHatter RAT, PlugX, Sakula, Web shells, Custom Backdoors
Overview
Deep Panda, tracked by MITRE as G0009, is a highly sophisticated and persistent threat actor with strong suspected ties to the People’s Republic of China (PRC). This group operates under a wide array of aliases, reflecting its broad operational scope and the fluid nature of cyber threat intelligence. Beyond its primary designation, Deep Panda is also known as Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine, and is often considered synonymous with APT19, C0d0so0, Sunshop Group, TG-3551, Bronze Firestone, Pupa, Red Pegasus, and Checkered Typhoon. While some analysts debate the exact overlap with APT19, their activities frequently align.
Deep Panda’s strategic motivation is primarily cyber espionage and information theft, aligned with China’s national intelligence objectives. This includes stealing state secrets, intellectual property, and critical data from various organizations. What distinguishes Deep Panda is its hybrid operational model, which blends traditional state-sponsored intelligence gathering with methods commonly associated with cybercrime, such as the mass harvesting of credentials and brokering access. Their target selection often reflects both strategic intelligence priorities and opportunistic avenues to acquire valuable information.
The group’s targeting is extensive, encompassing critical infrastructure and high-value sectors globally. Deep Panda has consistently focused on government, defense, financial services, telecommunications, healthcare, and technology industries. Other targeted sectors include energy, pharmaceuticals, high-tech, education, manufacturing, legal services, and national security think tanks. Geographically, their operations heavily focus on the United States, Australia, and various parts of East Asia. Notably, the group has demonstrated an adaptive targeting strategy, exemplified by a shift in 2014 to focus on individuals and entities involved in Iraq and Middle East policy, directly linked to Chinese oil interests in the region.
Tactics & Techniques
Deep Panda employs a diverse and evolving set of tactics, techniques, and procedures (TTPs) designed to achieve stealthy, persistent access and data exfiltration.
Initial access is frequently gained through highly targeted spear-phishing campaigns. These emails often contain malicious attachments or links, sometimes crafted to appear as legitimate business communications, conference invitations, or security alerts. The group also leverages compromised web servers and Content Management Systems (CMS) by deploying web shells, establishing a foothold within target networks. Watering hole attacks, such as the 2014 compromise of Forbes.com, where targets were redirected to exploits via a zero-day Adobe Flash vulnerability, have also been a prominent initial access vector. Deep Panda actively exploits known software vulnerabilities; examples include breaches leveraging flaws in Adobe ColdFusion and, more recently, exploiting the Log4Shell vulnerability in VMware Horizon servers. They have also utilized malicious droppers masquerading as installers for legitimate software like Adobe Reader or Juniper VPN, often directing victims to fake login pages for credential harvesting.
Once inside a network, Deep Panda focuses on establishing execution and persistence. They deploy lightweight backdoors and web shells, often using registry changes and scheduled tasks to maintain their presence. A notable technique involves using PowerShell scripts, frequently executed from memory to avoid disk artifacts and evade detection. They have also employed the sticky-keys technique to bypass RDP login screens and used -w hidden to conceal PowerShell windows. Lateral movement is achieved through methods like Windows Management Instrumentation (WMI) and the net.exe utility to connect to network shares using compromised credentials. For discovery, they use built-in Windows utilities such as Microsoft Tasklist to enumerate processes and ping to identify other machines of interest.
Defense evasion is a hallmark of Deep Panda’s operations. They routinely update and modify their malware to change hash values and evade detection. Running PowerShell scripts directly from memory helps them minimize forensic traces. The group is also known to remove log data and other artifacts to obscure their presence. In a sophisticated move, they have used digitally signed rootkits with stolen certificates, adding a layer of legitimacy to their malicious tools. Credential harvesting is a core capability, with tools designed to recover authentication credentials from web browsers like Mozilla Firefox and Internet Explorer, as well as Remote Access Service (RAS). Ultimately, their objective is to exfiltrate sensitive data to offshore command-and-control servers.
Notable Campaigns
Deep Panda has been linked to numerous high-profile cyber incidents:
- 2013-2016 Credential Acquisition: An early focus involved extensive campaigns to acquire user credentials through phishing and the deployment of web shells.
- 2013 Adobe ColdFusion Breach: One of their significant early operations involved breaching Adobe’s ColdFusion web application server, leading to the theft of user data for 38 million Adobe users, along with source code for various Adobe products including Acrobat, Reader, Photoshop, and ColdFusion.
- 2014 Think Tank Breaches: Deep Panda notably shifted its targeting focus in 2014 from Southeast Asia policy to geopolitical issues in Iraq and the Middle East, coinciding with the rise of ISIS and its potential impact on Chinese oil interests. These attacks on national security think tanks utilized PowerShell and deployed the “MadHatter” RAT.
- 2014 Forbes.com Watering Hole Attack: The group compromised Forbes.com to conduct a watering hole attack, using a zero-day Adobe Flash exploit to compromise selected targets.
- 2015 Anthem Breach: Deep Panda was famously attributed to the massive intrusion into healthcare provider Anthem, an incident that, when combined with related breaches at Premera and CareFirst, impacted over 90 million Americans.
- 2015 U.S. Office of Personnel Management (OPM) Breach: In one of the largest government data breaches in history, Deep Panda stole 22.1 million government employee records, including extensive personal data and background check information. This involved posing as an employee of a subcontractor and utilizing PlugX and Sakula malware.
- 2016-2017 Managed Service Provider Compromises: The group extensively compromised Managed Service Providers (MSPs) and cloud environments, gaining access to a multitude of downstream organizations and victims.
- 2017 Law and Investment Firm Phishing: Deep Panda conducted a targeted phishing campaign against at least seven global law and investment firms, exploiting a Microsoft Windows vulnerability (CVE 2017-0199) and deploying Cobalt Strike payloads.
- 2022 Log4Shell Exploitation: More recently, in March 2022, Deep Panda exploited the critical Log4Shell vulnerability in VMware Horizon servers. This campaign involved the deployment of the “Milestone” backdoor (a variant of Infoadmin RAT) and a novel kernel rootkit dubbed “Fire Chili,” which was signed with a stolen digital certificate also used by the Winnti group. These opportunistic attacks impacted financial, academic, cosmetics, and travel industries across multiple countries.
Associated Malware & Tools
Deep Panda leverages a combination of custom-developed malware and commercially available or open-source tools, often tailored for their operations:
- Backdoors and RATs: Custom backdoors are a staple, along with well-known Remote Access Trojans (RATs) such as Derusbi, PlugX, MadHatter, and Infoadmin RAT (dubbed “Milestone” in recent campaigns).
- Web Shells: These are frequently deployed on compromised web servers to maintain persistent access.
- Sakula Malware: Notably used in the 2015 OPM breach and other campaigns targeting defense and healthcare sectors.
- Rootkits: The novel “Fire Chili” kernel rootkit, digitally signed with stolen certificates, was observed in 2022. They have also used a zero-day for Flash.
- Exploitation Frameworks & Utilities: Cobalt Strike and EmpireProject have been used for post-exploitation activities.
- Reconnaissance Tools: TheHarvester is known to be used for reconnaissance operations.
- Built-in System Tools: Deep Panda extensively abuses legitimate Windows utilities like PowerShell, Windows Management Instrumentation (WMI),
net.exe,ping, andtasklistfor execution, lateral movement, and discovery, helping them blend in with normal network activity. - Credential Harvesting Utilities: Custom-developed tools for collecting authentication credentials.
- C0d0so0 and Sunshop Group Tools: These refer to specific malware and tooling clusters associated with the group.
Current Status
Deep Panda remains an active and highly adaptable threat actor. Despite their long operational history stretching back to at least 2013, they continue to evolve their TTPs and target selection. While some older overt operations may have decreased, intelligence suggests they have reorganized rather than ceased activity, continuing to conduct campaigns that bear their distinctive tradecraft. The group’s persistent focus on access and credential theft, rather than relying solely on sophisticated zero-day exploits, allows them to remain relevant in a constantly changing threat landscape. The opportunistic exploitation of the Log4Shell vulnerability in 2022 is a clear indicator of their ongoing and adaptive operational tempo. Their continued activity and demonstrated capability to infiltrate and persist in high-value targets classify Deep Panda as a significant and enduring threat.
Related content
APT19: Persistent Chinese Cyber Espionage and Credential Theft
Adversary ProfileAxiom (G0001): Profile of a Sophisticated Chinese Cyber Espionage Group
Adversary ProfileAPT17 (Deputy Dog): A Persistent Chinese Cyber Espionage Threat
Adversary ProfileLeviathan (APT40): China's Persistent Maritime Espionage Group
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call