Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Threat Actor Profile
Emissary Panda
Active since at least 2010, Emissary Panda—also known by aliases such as APT27, LuckyMouse, and Bronze Union—is a Chinese state-sponsored advanced persistent threat (APT) group. Known for its industrial espionage and geopolitical intelligence missions, this group employs advanced tactics such as spearphishing, strategic web compromises, and custom malware to infiltrate high-value targets globally.
Threat Actor Profile
Emissary Panda
Country of Origin
Emissary Panda is widely believed to originate from China and is assessed as being state-sponsored, aligning with Chinese strategic interests.
Members
Details about the exact size and member composition of Emissary Panda remain unknown. However, it is believed to be a well-organized and experienced group leveraging both internal development and external tools.
Leadership
No specific names or individual leaders tied to Emissary Panda have been identified. Their operational sophistication suggests strong backing and direction from state-level entities.
Emissary Panda TTPs
Tactics
The group’s primary goals center around industrial espionage, theft of intellectual property, and geopolitical intelligence. Targets often include aerospace, energy, automotive, government, and technology sectors.
Techniques
Initial Access: Primarily through spearphishing emails that include malicious links or documents; watering-hole attacks targeting websites frequently visited by victims.
Exploitation: Leveraging older, patched vulnerabilities in applications such as Flash, Java, SharePoint, and Windows.
Persistence & Evasion: Regular use of techniques such as DLL hijacking, signed executables, and ISAPI filters on Microsoft Exchange servers.
Selective Data Exfiltration: Focuses on extracting high-value data rather than mass amounts.
Procedures
Deployment of custom malware such as SysUpdate and tools like PlugX and HttpBrowser.
Using web shells (e.g., ChinaChopper) to maintain access to compromised environments.
Recurrent presence in victim networks by leveraging stolen credentials or misconfigurations.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
-
The 2023 compromise of an Asian government and a Middle Eastern telecommunications provider using updated SysUpdate toolkits.
-
Exploitation of the Cobra DocGuard update mechanism to attack a gambling company in Hong Kong.
-
Targeting of Mongolian governmental agencies via compromised chat software as part of a supply chain attack.
Law Enforcement & Arrests
There have been no publicly confirmed arrests or large-scale law enforcement actions targeting Emissary Panda. The group’s alignment with a state sponsor further complicates enforcement efforts.
How to Defend Against Emissary Panda
1
Patch Management: Regularly update and patch software, especially web-facing ones like SharePoint and IIS.
2
Phishing Defense: Deploy strong email security measures, train employees, and block malicious links and attachments.
3
Endpoint and Network Monitoring: Utilize EDR tools to detect suspicious activity, such as DLL injection or unusual certificate usage.
4
Multifactor Authentication (MFA) and Least Privilege Access: Protect critical systems by enforcing MFA and limiting administrative privileges.
5
Threat Intelligence and IOC Monitoring: Actively track IOCs associated with Emissary Panda and use them for detection within your network.
Huntress enables organizations to strengthen their defenses with advanced endpoint monitoring, robust phishing prevention, and threat-hunting services.
References
