Emissary Panda

Threat Actor updated 25 days ago (2024-08-14T22:17:40.732Z)
Download STIX
Preview STIX
Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Lucky Mouse, and Budworm, is a notable threat actor linked to China. This group has been engaged in the theft of intellectual property from organizations in sectors that China perceives as being of vital strategic interest. The group has demonstrated a broad approach, exploiting widespread vulnerabilities such as those found in SharePoint, rather than focusing on specific targets. Emissary Panda has targeted a range of organizations across Europe, North and South America, Africa, the Middle East, and the Asia-Pacific region, including government entities and telecommunications providers. The group employs a variety of tools and techniques in its operations. Notably, it was found to use the China Chopper webshell on SharePoint servers, a tool also associated with Emissary Panda's activities. In addition, the actors have used these webshells to upload legitimate executables, which they then use for DLL sideloading to run a malicious DLL. Code overlaps have been identified between these malicious DLLs and those used in previous Emissary Panda attacks. Several of the tools uploaded to the webshells appear to be custom-made and likely related to this threat group. Emissary Panda has shown its ability to disable antivirus protections, notably through the use of a new variant of the Eagerbee backdoor. It has also deployed an updated version of its SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll), demonstrating the group's active development of cyber-espionage tools. This threat actor has not only targeted critical Active Directory assets but has also launched new attacks against an Asian government and a Middle East-based telecommunications provider, indicating a persistent and evolving threat landscape.
Description last updated: 2024-08-14T22:15:36.294Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT27
7
APT27, also known as Iron Taurus, is a threat actor group suspected to be attributed to China. Engaging in cyber operations with the primary goal of intellectual property theft, APT27 targets organizations globally, with a focus on North and South America, Europe, and the Middle East. The group's mo
SysUpdate
4
SysUpdate is a malicious software variant that has been exclusively used by Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix. In December 2020, a sample of the SysUpdate malware variant was found, with its payload being a new version of SysUpdate.
LuckyMouse
4
LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
Lucky Mouse
3
Lucky Mouse, also known as Emissary Panda, APT27, Threat Group 3390, Bronze Union, and several other names, is a malicious software (malware) attributed to a China-linked Advanced Persistent Threat (APT) group. This malware has been active since at least 2013, targeting various industry verticals fo
BRONZE UNION
2
Bronze Union, also known as APT27, Emissary Panda, Lucky Mouse, Iron Tiger, and Red Phoenix, is a threat actor with alleged connections to the Chinese government. The group has been observed targeting organizations across Europe, North and South America, Africa, the Middle East, and the Asia-Pacific
Budworm
2
Budworm, also known as LuckyMouse or APT 27, is a threat actor that has been associated with various high-profile cyber attacks. This group has been found to utilize tools such as the Korplug backdoor, which is commonly used by multiple Advanced Persistent Threats (APTs) including Budworm and APT41,
Iron Tiger
2
Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group known for executing malicious actions with the intent of espionage. The group became prominent after its involvement in Operation Iron Tiger, which was reported in 2015. This operation was a series of Chinese cyber-espionage att
Cobra Docguard
2
Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known inst
inicore_v2.3.30.dll
2
The malware inicore_v2.3.30.dll is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Backdoor
Windows
Sharepoint
Vulnerability
Exploit
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
CobraUnspecified
2
Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrup
Source Document References
Information about the Emissary Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
25 days ago
'EastWind' Cyber Spy Campaign Combines Various Chinese APT Tools
DARKReading
3 months ago
Chinese Threat Clusters Triple-Team High-Profile Asian Government Org
CERT-EU
10 months ago
Domain of Thrones: Part I
CERT-EU
a year ago
Multiple Chinese APTs are attacking European targets, EU cyber agency warns | #ukscams | #datingscams | #european | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting
CERT-EU
a year ago
Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org - Cyber Security Review
CERT-EU
a year ago
DDoS attack hits Russian flight booking system claimed by Ukrainian hackers
CERT-EU
a year ago
Asian government, telco targeted by Chinese APT
CERT-EU
a year ago
Cyber Security Week in Review: September 29, 2023
InfoSecurity-magazine
a year ago
Budworm APT Evolves Toolset, Targets Telecoms and Government
CERT-EU
a year ago
China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies
CERT-EU
a year ago
Budworm hackers target telcos and govt orgs with custom malware
BankInfoSecurity
a year ago
Threat Actor Targets Hong Kong With Korplug Backdoor
Securityaffairs
a year ago
Carderbee APT targets Hong Kong orgs via supply chain attacks
CERT-EU
a year ago
Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack
Checkpoint
2 years ago
6th March – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers
MITRE
2 years ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
MITRE
2 years ago
Emissary Panda – A potential new malicious tool
MITRE
2 years ago
Emissary Panda Attacks Middle East Government SharePoint Servers
MITRE
2 years ago
Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”