Deep Panda APT

Deep Panda began attacking the healthcare, aerospace, and energy sectors around 2012. Deep Panda is believed to be a Chinese state sponsored group. Symantec believes that Black Vine may be affiliated with a Beijing IT security organization called Topsec. Topsec is a research institute with sites across China. Topsec focuses on information security research, training, auditing, and security products. It also hosts a hacking competition (from which they hire hackers). It is possible that some members of Topsec are affiliated with Deep Panda.

Deep Panda attacks tend to have massive impacts and they accrue proportional media attention. In order to conduct multiple sizable campaigns against United States Federal government agencies and major western health care providers for extended time periods, Deep Panda must have considerable resources at their disposal. In illustration, it is possible that Deep Panda was concurrently engaged in cyber-attacks against the United States Office of Personnel Management, the Anthem healthcare network, United Airlines, and other entities. In December 2015, the Chinese government announced that it had arrested the actors behind the OPM breach and that Deep Panda was not responsible. Many in the political and cybersecurity spheres remain skeptical that the arrests are legitimate.

Deep Panda conducts watering hole attacks; zero-day exploits, and spear phishing campaigns. The group also utilizes some of the exploits and tools from the Elderwood platform. A vast majority, ~80%, of Deep Panda targets are American. Deep Panda targets government agencies, the aerospace sector, the healthcare sector, financial organizations, technology firms, and energy entities (primarily gas and electric manufacturers).

In the United States health care sector, Deep Panda has attacked VAE, Anthem, Empire Blue Cross Blue Shield, and Carefirst. In the recent 2014-2015 Anthem breach, the group exfiltrated ~80 million patient records. Information exfiltrated from Anthem includes social security numbers and other personal identifiable information or personal health information. It is believed that the Axiom group also attacked Anthem at the same time as Deep Panda, but with a different malware and along different vectors. The attack appears as a coordinated effort. Further, enough similarities exist between the meticulous planning and malware employed by the two groups, that many security firms hypothesize that they are both part of the same group. There is a strong possibility that the groups are affiliated.

Deep Panda is also believed to be responsible for the two 2015 OPM breaches. The breaches resulted in the exposure of the personal information contained in the SF-86 forms of 22.1 million current and former United States Federal employees. 5.6 million fingerprint files were also stolen. Deep Panda breached United Airlines in 2015 and stole departure and destination records. The health, OPM, and travel records stolen by Deep Panda can be aggregated to catastrophically impact the United States government over time. The adversary or their parent nation state can build a database of US employees for espionage purposes. Further, the information can be used to identify United States agents in the country or to identify Chinese assets who assist United States intelligence efforts. Even though their systems were not compromised and their agents’ information was not included in the breach, the CIA has already began retracting agents from the field in response to the cyber-attacks. The CIA made this decision because State Department records were stolen in the breach and the attacker could thereby discover embassy employees who were not included in the State Department records and capture those individuals as spies or coerce their behavior. In this manner, Deep Panda has pushed forward the boundaries of cyber-warfare to achieve a measurable “physical” nation-state response. Further, physical warfare has been suggested in the United States in response to the cyber-attacks.

Deep Panda relies on the Sakurel Trojan, the Hurix Trojan, and the Mivast backdoor in its attacks. Deep Panda is believed to have developed all of the malware themselves. Characteristics in the malware code are shared between all three malware. Further, each malware is capable of opening a named pipe back door and contains tools to collect and exfiltrate system data, the ability to execute arbitrary code, the ability to create, modify, and delete registry keys.

The malwares are similar in that they utilized droppers that masquerade as installers for legitimate software applications like Adobe Reader, Juniper VPN, and Microsoft ActiveX Control. In some cases, a loading bar displays and then the user redirects to a login page for the associated software. The malwares contain measures to avoid detection. The malwares self-obfuscate as technology related applications such as media applications or VPN technologies. The malwares establish persistent presence on the system, deploy remote access Trojans (RATs) such as the Derusbi malware, and feature tools to record and seize user sessions. Tools such as PwDump and Scanline are included to steal user credentials, to allow the actor to escalate their privileges, to let the actor create unmonitored accounts, and to assist the attacker in lateral movements to systems across the network. Symantec believes that all three malware belong to the same family and that they have been updated and differentially developed over time by the same team. The malware is usually signed by the DTOPTOOLZ Co. signature belonging to a Korean software company. Domains and C2 servers often feature the names of Marvel comic book characters as the register.

Type: Nation-State-Sponsored

Status: Active

Other Names: Black Vine / Pupa/ APT 19/ Shell Crew/ Kung Fu Kitten/ WebMasters/ TEMP.Avengers/ Group 13/ Sh3llCr3w/ PinkPanther/ Steamex

Active Since/Discovered:  2012


  • ~80% targets American

Target Sectors:

  • Government, Healthcare, Defense, Aerospace, Finance, Technology, and Energy sectors
  • Espionage data, PII, and Operational design data


  • StreamEx
    • access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands
    • 64-bit and 32-bit versions
    • Backdoor droppers use a semi-random name chosen from existing service entries under the machine ‘netsvcs’ registry key
    • Code commands are obfuscated with statically programmed fragments of strings when starting the ‘bt’ DLL
    • PlugX samples were served from some of the same C2 servers or watering-hole sites – connection to other campaigns
  • Sakula/Sakurel
    • named pipe back door, tools to collect and exfiltrate system data, the ability to execute arbitrary code, the ability to create, modify, and delete registry keys
    • Droppers that masquerade as installers for legitimate software applications like Adobe Reader, Juniper VPN, and Microsoft ActiveX Control
  • Hurix Trojan
  • Mivast backdoor
  • Derusbi
    • record and control user sessions
  • ScanBox Framework
  • Webshells (China Chopper, WCE, etc.)
  • PWDump and Scanline
    • steal user credentials

Preferred Attack Vector: Spear-phishing, watering-hole, 0-day exploits


      • CVE-2012-0158, CVE-2014-0322, and CVE-2015-5119
      • Exploits 0-days opportunistically, as they are discovered or disclosed


    • Considerable resources
    • Believed Responsible for OPM, Anthem, United Airlines, VAE, Empire BCBS, Carefirst, and  other major breaches
    • First China group to target PII
    • Affiliated with Axiom
    • May be affiliated with a Beijing IT security organization called Topsec
    • C2 domains registered as Marvel Comic Book characters
    • The malware is usually signed by the DTOPTOOLZ Co. signature