Goblin Panda

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Goblin Panda is a recognized threat actor, known for its malicious activities in the cyber world. Various research organizations have indicated that several Chinese Advanced Persistent Threat (APT) groups such as Growing Taurus (aka Naikon) and Parched Taurus (aka Goblin Panda) have leveraged this threat. Furthermore, a builder linked to this threat, which creates a file named '8.t', is widely used by Chinese APT groups including TA428, Goblin Panda, IceFog, and SongXY. Although not publicly accessible, this builder's usage indicates the extent of Goblin Panda's influence in the cyber threat landscape. In recent developments, ESET researchers detected a MirrorFace spearphishing campaign targeting political entities in Japan. They also noted a shift in the target interests of some China-aligned groups, with Goblin Panda beginning to mirror Mustang Panda’s focus on European countries. This evolution signifies a broadening of Goblin Panda's geographical scope and an increase in its threat potential. The software deployed by Goblin Panda includes Cobalt Strike, Quasar RAT, HDoor (a backdoor previously used by Chinese groups like Naikon and Goblin Panda), a Gh0st RAT variant known as Gh0stCringe, and Winnti - a multi-functional implant capable of granting remote control to an infected machine. These tools further demonstrate the sophistication and capabilities of Goblin Panda, highlighting the need for robust cybersecurity measures to counteract its threats.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Naikon	2	Naikon is a threat actor, or group, known for its execution of actions with malicious intent. It is associated with various Advanced Persistent Threat (APT) groups originating from China, such as Growing Taurus and Parched Taurus, also known as Goblin Panda. Naikon has been linked to PLA Unit 78020/

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Rat

Backdoor

Implant

Spearphishing

Eset

Malware

Payload

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
gh0st RAT	Unspecified	1	Gh0st RAT is a notorious malware that was originally developed by the C. Rufus Security Team in China and has been widely used for cyber espionage since its code leaked in 2008. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often without the user's
HDoor	Unspecified	1	HDoor is a malicious software (malware) that has been publicly available in Chinese forums since 2008. This malware, equipped with full backdoor capabilities, allows operators to perform a variety of tasks, making it a potent threat to computer systems. It can infect systems through suspicious downl
Gh0stcringe	Unspecified	1	Gh0stCringe is a variant of Gh0st RAT, a notorious malware that has been used in numerous cyber attacks. This malicious software is designed to exploit and damage computers or devices by infiltrating the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once in
Taurus	Unspecified	1	Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Mustang Panda	Unspecified	1	Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Growing Taurus	Unspecified	1	None
Winnti	Unspecified	1	Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar
Parched Taurus	Unspecified	1	None

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Goblin Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	10 months ago	New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
Unit42	10 months ago	Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
MITRE	a year ago	COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
ESET	a year ago	ESET APT Activity Report T3 2022 \| WeLiveSecurity