Hurricane Panda APT

Type: Unknown

Status: Inactive since Fall 2015

Other Names: Operation Umbrella Revolution, Operation Poisoned Hurricane

Active Since/Discovered: 2013

Last Report: December 2015

Targets: Telecommunications and technology companies. Targets confidential data and intellectual property

Target Sectors: internet services, engineering, and aerospace


  • RATs – Sakula Gh0st, PlugX, Hikit, Mimikatz
  • Webshell RAT – Chopper webshell
    • Easily obfuscated 70 byte text file that consists of an ‘eval()’ command
    • Used to provide full command execution and file upload/download capabilities to the attackers.
    • Typically uploaded to a web server via a SQL injection or WebDAV vulnerability

Preferred Attack Vector:  zero-day vulnerabilities; a DNS resolution exploitation technique; unique toolkit; and a SQL injection vulnerabilities


  • Stolen data exfiltrated via FTP as multiple password protected RAR files
  • CVE-2014-4113


  • used free DNS servers provided by Hurricane Electric to resolve well known domains to the desired attack infrastructure ip
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google