Group description: Deep Panda

Deep Panda, Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine, Group G0009 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Deep Panda Deep Panda Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda . [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5] ID: G0009 ⓘ Associated Groups : Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine Contributors : Andrew Smith, @jakx_ Version : 1.2 Created: 31 May 2017 Last Modified: 16 April 2025 Version Permalink Live Version Associated Group Descriptions Name Description Shell Crew [3] WebMasters [3] KungFu Kittens [3] PinkPanther [3] Black Vine [4] ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1059 .001 Command and Scripting Interpreter : PowerShell Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk. [1] Enterprise T1546 .008 Event Triggered Execution : Accessibility Features Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions. [3] Enterprise T1564 .003 Hide Artifacts : Hidden Window Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [1] Enterprise T1027 .005 Obfuscated Files or Information : Indicator Removal from Tools Deep Panda has updated and modified its malware, resulting in different hash values that evade detection. [4] Enterprise T1057 Process Discovery Deep Panda uses the Microsoft Tasklist utility to list processes running on systems. [1] Enterprise T1021 .002 Remote Services : SMB/Windows Admin Shares Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials. [1] Enterprise T1018 Remote System Discovery Deep Panda has used ping to identify other machines of interest. [1] Enterprise T1505 .003 Server Software Component : Web Shell Deep Panda uses Web shells on publicly accessible Web servers to access victim networks. [6] Enterprise T1218 .010 System Binary Proxy Execution : Regsvr32 Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks. [3] Enterprise T1047 Windows Management Instrumentation The Deep Panda group is known to utilize WMI for lateral movement. [1] Software ID Name References Techniques S0021 Derusbi [2] Audio Capture , Command and Scripting Interpreter : Unix Shell , Encrypted Channel : Symmetric Cryptography , Fallback Channels , File and Directory Discovery , Indicator Removal : Timestomp , Indicator Removal : File Deletion , Input Capture : Keylogging , Non-Application Layer Protocol , Non-Standard Port , Process Discovery , Process Injection : Dynamic-link Library Injection , Query Registry , Screen Capture , System Binary Proxy Execution : Regsvr32 , System Information Discovery , System Owner/User Discovery , Video Capture S0080 Mivast [4] Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Ingress Tool Transfer , OS Credential Dumping : Security Account Manager S0039 Net [1] Account Discovery : Domain Account , Account Discovery : Local Account , Account Manipulation : Additional Local or Domain Groups , Create Account : Local Account , Create Account : Domain Account , Indicator Removal : Network Share Connection Removal , Network Share Discovery , Password Policy Discovery , Permission Groups Discovery : Domain Groups , Permission Groups Discovery : Local Groups , Remote Services : SMB/Windows Admin Shares , Remote System Discovery , System Network Connections Discovery , System Service Discovery , System Services : Service Execution , System Time Discovery S0097 Ping [1] Remote System Discovery S0074 Sakula [2] Abuse Elevation Control Mechanism : Bypass User Account Control , Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Encrypted Channel : Symmetric Cryptography , Hijack Execution Flow : DLL , Indicator Removal : File Deletion , Ingress Tool Transfer , Obfuscated Files or Information : Encrypted/Encoded File , System Binary Proxy Execution : Rundll32 S0142 StreamEx [7] Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , File and Directory Discovery , Modify Registry , Obfuscated Files or Information , Process Discovery , Software Discovery : Security Software Discovery , System Binary Proxy Execution : Rundll32 , System Information Discovery S0057 Tasklist [1] Process Discovery , Software Discovery : Security Software Discovery , System Service Discovery References Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014. ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016. RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016. DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016. Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018. RYANJ. (2014, February 20). Mo’ Shells Mo’ Problems – Deep Panda Web Shells. Retrieved September 16, 2015. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017. × load more results