Wicked Panda

Threat Actor updated 16 hours ago (2024-10-17T12:02:44.574Z)

Download STIX

Preview STIX

Wicked Panda, also known as APT41, Double Dragon, and Brass Typhoon, is a prominent threat actor in the cybersecurity landscape. This China state-sponsored group has been identified as one of the top threat actors by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center. Over time, multiple subgroups have been identified as part of the APT41 collective, including Winnti, Suckfly, and Barium. These groups have been involved in extensive cyberespionage activities, compromising sensitive data from organizations in the US and several other countries. The Wicked Panda group has been associated with the use of sophisticated malware such as LightSpy for surveillance purposes, as reported by security researchers at ThreatFabric. The group has also been linked to the Shadowpad backdoor, discovered in 2017 following a supply-chain attack on server management software. Wicked Panda's tactics include using public cloud services for hosting malicious files and installing backdoors in targeted systems for cyberespionage. Recent attacks attributed to this group have targeted Taiwanese government agencies, Filipino and Japanese military, and energy companies in Vietnam. Despite its extensive activity, Wicked Panda appears not to be connected to other known advanced persistent threat (APT) groups. However, some analyses have found overlap between APT41 and other Chinese nation-state groups such as APT10 (Bronze Riverside, Potassium, or Stone Panda), APT27 (Bronze Union, Emissary Panda, or Lucky Mouse), indicating possible tactical similarities. Overall, Wicked Panda represents a significant threat to global cybersecurity, demonstrating advanced capabilities and a broad range of targets.

Description last updated: 2024-10-17T11:42:05.965Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT41 is a possible alias for Wicked Panda. APT41, also known as Winnti, Wicked Panda, and Brass Typhoon, is a threat actor suspected to be linked to China. This group has been active since at least 2012 and has targeted organizations in over 14 countries. They have used a variety of sophisticated techniques and malware, including at least 46	4
Winnti is a possible alias for Wicked Panda. Winnti, a notorious threat actor group, has been linked to several sophisticated cyber-espionage activities. First identified by Kaspersky in 2013, it is believed that the group has been active since at least 2007, primarily targeting software supply chains to spread malware. Winnti is part of the A	2
Double Dragon is a possible alias for Wicked Panda. Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by t	2
Lightspy is a possible alias for Wicked Panda. LightSpy, a notable threat actor in the cybersecurity landscape, has renewed its espionage campaign, primarily targeting South Asia. This group, which could be an individual, a private company, or part of a government entity, is known for executing actions with malicious intent. The latest wave of a	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Espionage

Health

State Sponso...

Malware

Backdoor

Threatfabric

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lazarus Group Threat Actor is associated with Wicked Panda. The Lazarus Group, a notorious threat actor attributed to North Korea, has been implicated in a series of high-profile cyberattacks and illicit activities. The group is known for its sophisticated operations, including Operation DreamJob, which targeted Spain with a high level of confidence. Over th	Unspecified	2
The Apt43 Threat Actor is associated with Wicked Panda. APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELA	Unspecified	2
The Emerald Sleet Threat Actor is associated with Wicked Panda. Emerald Sleet, a threat actor associated with North Korea, has been identified as a significant player in cyber espionage. This group is known for its sophisticated use of artificial intelligence and machine learning models (LLMs), leveraging them to enhance spear-phishing campaigns, research public	Unspecified	2
The Thallium Threat Actor is associated with Wicked Panda. Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activi	Unspecified	2

Source Document References

Information about the Wicked Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	22 days ago	China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs
DARKReading	25 days ago	China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC
DARKReading	2 months ago	China's APT41 Targets Taiwan Research Institute for Cyber Espionage
DARKReading	3 months ago	China's APT41 Targets Global Logistics, Utilities Companies
CERT-EU	a year ago	Chinese, North Korean Nation-State Groups Target Health Data
CERT-EU	a year ago	Chinese APT Actors Target WeChat Users
BankInfoSecurity	a year ago	Chinese APT Actors Target WeChat Users
BankInfoSecurity	a year ago	Chinese, North Korean Nation-State Groups Target Health Data
InfoSecurity-magazine	a year ago	Chinese APT Favorite Backdoor Found in Pakistani Government App
CERT-EU	2 years ago	Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers
CERT-EU	2 years ago	Chinese Hackers Using KEYPLUG Backdoor to Attack Windows & Linux Systems
CERT-EU	a year ago	APT41’s PowerShell Backdoor Let Hackers Download & Upload Files From Windows