Hurricane Panda APT

Type: Unknown

Status: Inactive since Fall 2015

Other Names: Operation Umbrella Revolution, Operation Poisoned Hurricane

Active Since/Discovered: 2013

Last Report: December 2015

Targets: Telecommunications and technology companies. Targets confidential data and intellectual property

Target Sectors: internet services, engineering, and aerospace


  • RATs – Sakula Gh0st, PlugX, Hikit, Mimikatz
  • Webshell RAT – Chopper webshell
    • Easily obfuscated 70 byte text file that consists of an ‘eval()’ command
    • Used to provide full command execution and file upload/download capabilities to the attackers.
    • Typically uploaded to a web server via a SQL injection or WebDAV vulnerability

Preferred Attack Vector:  zero-day vulnerabilities; a DNS resolution exploitation technique; unique toolkit; and a SQL injection vulnerabilities


  • Stolen data exfiltrated via FTP as multiple password protected RAR files
  • CVE-2014-4113


  • used free DNS servers provided by Hurricane Electric to resolve well known domains to the desired attack infrastructure ip