Putter Panda: Persistent Chinese Cyber Espionage
- Suspected Origin
- China
- Motivation
- Espionage
- Aliases
- APT2, MSUpdater
- Target Sectors
- Defense, Government, High-Tech, Energy, Telecommunications, Critical Infrastructure
- Associated Malware
- MSUpdater, CN-SRV, Derusbi, Putter Panda malware, Pteranodon
Overview
Putter Panda, tracked by MITRE ATT&CK as G0024, is a highly persistent and sophisticated Chinese state-sponsored cyber espionage group. Also known by aliases such as APT2 and MSUpdater, the group has been publicly attributed to Unit 61486 of the People’s Liberation Army’s (PLA) 3rd General Staff Department (GSD). This attribution, initially detailed in a seminal 2014 report by CrowdStrike, firmly establishes Putter Panda as an entity operating under the directive of the Chinese military intelligence apparatus.
The primary motivation driving Putter Panda’s operations is strategic intelligence gathering and intellectual property theft, aligning with China’s broader national security and economic development objectives. Their targets consistently reflect these goals, focusing on sectors critical to military capabilities, advanced technology, and strategic national interests. Key sectors historically targeted include defense, government agencies, high-tech manufacturing, energy, telecommunications, and critical infrastructure, particularly those with strong ties to U.S. and allied interests. Geographically, their operations have a global reach, but with a pronounced emphasis on organizations within the United States, Europe, and Asia that possess valuable technological, economic, or political intelligence.
Tactics & Techniques
Putter Panda employs a range of sophisticated tactics, techniques, and procedures (TTPs) designed for stealthy, long-term espionage. Their initial access often leverages spear-phishing campaigns, frequently using malicious attachments or links tailored to entice specific targets. These emails often impersonate trusted entities or exploit current events to increase their legitimacy. They have also been known to exploit publicly known vulnerabilities in common software and network devices to gain initial footholds.
Once inside a network, Putter Panda prioritizes establishing persistence. This includes creating new user accounts, modifying system services, and deploying various backdoors. They are adept at credential access, utilizing tools to dump credentials from memory, hash harvesting, and keystroke logging to elevate privileges and move laterally within the network. For lateral movement, they often use legitimate administrative tools such as PsExec or RDP, blending their activity with normal network traffic to evade detection. Data exfiltration is typically achieved through encrypted channels, often disguised as legitimate traffic, to command and control (C2) servers located in various geographic regions, utilizing protocols like HTTP or HTTPS. They are also known for their operational security, frequently changing C2 infrastructure and employing custom encryption to protect their communications.
Notable Campaigns
While specific incident details are often classified or not publicly disclosed in their entirety, the CrowdStrike “Putter Panda” report in 2014 was a pivotal moment, publicly detailing their activities and attribution to Unit 61486. This report highlighted numerous campaigns targeting entities in the defense and government sectors over several years. One notable aspect of their operations uncovered by this report was their use of custom-developed malware, which allowed them to maintain a persistent presence in target networks for extended periods.
Another significant aspect of their operations involves targeting organizations with strong intellectual property related to satellite technology, aerospace, and advanced materials. While specific campaign names are not always publicly attributed to Putter Panda, their TTPs and malware overlap with broader Chinese state-sponsored espionage efforts targeting these strategic industries. The consistent targeting of defense contractors and high-tech companies indicates a long-standing directive to acquire sensitive information and technological advancements that benefit China’s military and economic modernization.
Associated Malware & Tools
Putter Panda has historically utilized a bespoke set of malware and tools tailored for their espionage objectives. One of their primary backdoors, referred to by various names including “MSUpdater” or simply “Putter Panda malware,” is designed for remote access, file exfiltration, and execution of additional commands. This malware often masquerades as legitimate software components to avoid detection.
Another notable piece of malware associated with the group is Derusbi, a sophisticated backdoor capable of a wide array of functions, including remote code execution, file system manipulation, and data collection. Derusbi has been a staple in their toolkit for years, evolving over time to incorporate new evasion techniques. The group has also been linked to “CN-SRV” and “Pteranodon,” both backdoor families used for maintaining persistence and facilitating data theft. Beyond custom malware, Putter Panda has also been observed leveraging publicly available tools and modified versions of legitimate utilities to blend in with normal network activity, further complicating attribution and detection efforts. This approach helps them maintain a low profile, especially during the later stages of an intrusion.
Current Status
Putter Panda (G0024) remains an active and persistent threat. While public reporting on their activities may ebb and flow, security researchers continue to observe and track Chinese state-sponsored espionage groups, many of which share TTPs or infrastructure with previously identified entities like Putter Panda. The underlying motivations for their operations—strategic intelligence gathering and intellectual property theft—have not diminished.
Given the continuous nature of cyber espionage and the strategic importance of their target sectors, it is highly probable that Unit 61486, or its successor entities, continues to operate under new guises or with updated toolsets. The group’s ability to adapt its TTPs, malware, and infrastructure makes consistent monitoring crucial for organizations that fall within their traditional targeting scope. While direct public attribution of recent campaigns specifically to “Putter Panda” might be less frequent as researchers evolve their naming conventions, the threat represented by this group and its core objectives remains very much alive and warrants continued vigilance from security professionals.
Related content
Axiom (G0001): Profile of a Sophisticated Chinese Cyber Espionage Group
Adversary ProfileDeep Panda (G0009) Threat Actor Profile: A Persistent Chinese Espionage Group
Adversary ProfileAPT19: Persistent Chinese Cyber Espionage and Credential Theft
Adversary ProfileRancor: Persistent Espionage in Southeast Asia
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call