Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]

ID: G0009
Aliases: Deep Panda, Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine
Contributors: Andrew Smith, @jakx_

Version: 1.0

Alias Descriptions

Deep Panda[1]
Shell Crew[3]
KungFu Kittens[3]
Black Vine[4]

Techniques Used

EnterpriseT1015Accessibility FeaturesDeep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.[3]
EnterpriseT1066Indicator Removal from ToolsDeep Panda has updated and modified its malware, resulting in different hash values that evade detection.[4]
EnterpriseT1086PowerShellDeep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[1]
EnterpriseT1057Process DiscoveryDeep Panda uses the Microsoft Tasklist utility to list processes running on systems.[1]
EnterpriseT1117Regsvr32Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.[3]
EnterpriseT1018Remote System DiscoveryDeep Panda has used ping to identify other machines of interest.[1]
EnterpriseT1064ScriptingDeep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[1]
EnterpriseT1100Web ShellDeep Panda uses Web shells on publicly accessible Web servers to access victim networks.[6]
EnterpriseT1077Windows Admin SharesDeep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.[1]
EnterpriseT1047Windows Management InstrumentationThe Deep Panda group is known to utilize WMI for lateral movement.[1]


S0021DerusbiAudio Capture, Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Custom Cryptographic Protocol, Fallback Channels, File and Directory Discovery, File Deletion, Input Capture, Process Discovery, Process Injection, Query Registry, Regsvr32, Screen Capture, Standard Non-Application Layer Protocol, System Information Discovery, System Owner/User Discovery, Timestomp, Video Capture
S0080MivastCommand-Line Interface, Commonly Used Port, Credential Dumping, Registry Run Keys / Startup Folder, Remote File Copy
S0039NetAccount Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0097PingRemote System Discovery
S0074SakulaBypass User Account Control, Command-Line Interface, Custom Cryptographic Protocol, DLL Side-Loading, File Deletion, New Service, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Standard Application Layer Protocol
S0142StreamExCommand-Line Interface, File and Directory Discovery, Modify Registry, New Service, Obfuscated Files or Information, Process Discovery, Rundll32, Security Software Discovery, System Information Discovery
S0057TasklistProcess Discovery, Security Software Discovery, System Service Discovery