• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber warfare
  • Hacking
  • Intelligence
  • Security
  • Putter Panda APT behind for cyber espionage campaigns, are they members of PLA Unit 61486?

Putter Panda APT behind for cyber espionage campaigns, are they members of PLA Unit 61486?

Pierluigi Paganini June 11, 2014

CrowdStrike published a new report which blames the Chinese Putter Panda group for the different cyber espionage campaigns conducted against foreign companies.

Putter Panda is the name of bad actor responsible for a series of cyber espionage operations originating in Shanghai, security experts linked its operation to the activity of the People’s Liberation Army 3rd General Staff Department 12th Bureau Unit 61486.

A fake yoga brochure was one of different emails used for a spear phishing campaign conducted by the stealth Chinese cyber unit according an investigation conducted by researchers at the CrowdStrike security firm. Also in this case the experts believe that we are facing with a large scale cyber espionage campaign targeting government entities, contractors and research companies in Europe,  USA and Japan.

The group has been operating since at least 2007 and appears very interested in research companies in the space and satellite industry, experts at CrowdStrike have collected evidence of a numerous attacks against these industries.

CrowdStrike published a new report which blames China for the different  campaigns conducted to steal trade and military secrets and intellectual property from foreign companies.

The hacking teams uncovered by CrowdStrike’s forensic experts adopted an efficient strategy to hide their origins by using compromised foreign websites to launch their cyber offensives.

The security experts noticed that tools using in various cyber espionage campaigns were developed during working hours in Chinese time zones as explained in the report:

“a build time analysis of all known samples is shown in Figure 1 below, relative to China time. Although this shows that there is some bias in the build time distribution to daylight or working hours in China, which is more significant if a possible three-shift system of hours is considered (0900-1200, 1400-1700, and 2000-2300), this evidence is not conclusive. there is also some evidence that build times are manipulated by the adversary; for example, the sample with Md5 hash bc4e9dad71b844dd3233cfbbb96c1bd3 has a build time of 18 July 2013, but was supposedly first submitted to Virustotal on 9 January 2013. this shows that the attackers – at least in 2013 – were aware of some operational security considerations and were likely taking deliberate steps to hide their origins. “

CrowdStrike tools developed working time

The reports attributes to the Putter Panda team cyber attacks against dozens of public and private sector organizations to a group of Chinese state-sponsored hackers, called Putter Panda because they often targeted golf-playing conference attendees.

The hackers focus their exploits against popular applications, including Adobe reader and Microsoft Office to serve custom malware through spear phishing attacks.

“there are several pieces of evidence to indicate that the activity tracked by Crowdstrike as PUttEr Panda is attributable to a set of actors based in China, operating on behalf of the Chinese People’s liberation army (Pla). specifically, an actor known as cpyy (Chen Ping) appears to have been involved in a number of historical PUttEr Panda campaigns, during which time he was likely working in shanghai within the 12th Bureau, 3rd General staff department (Gsd).” states the report.

According to the revelation of official at NSA, more that 20 cyber units belonging to the People’s Liberation Army are involved in cyber espionage campaigns on foreign high tech companies and research group.

China and US are exchanging reciprocal accusations for cyber espionage, a couple of weeks ago The Justice Department issued an indictment, which named five PLA members as responsible of espionage against US companies included Alcoa, Westinghouse Electric and the United States Steel Corporation. In response, the Chinese government denied the charges and announced retaliatory measures against US companies in trade with Chinese businesses.

The hackers anyway made some curious errors, for example, they registered websites used for the attacks with the same email address they used to register social media accounts.

“domains registered by Chen Ping were used to control PUttEr Panda malware. These domains were registered to an address corresponding to the physical location of the Shanghai headquarters of 12th Bureau, specifically Unit 61486. The report illuminates a wide set of tools in use by the actors, including several remote access tools (rats). The rats are used by the PUttEr Panda actors to conduct intelligence-gathering operations with a significant focus on the space technology sector.”

Putter Panda report 2

The PUttEr Panda used several several malicious code, mainly RATs, for their operations, the most common of these are the 4H rat and the 3Para rat that have been already documented in the past by Crowdstrike in previous Crowdstrike Intelligence reports.

What to aspect for the future?

As explained by the experts at Crowdstrike, PUttEr Panda is likely to continue to target Western entities searching for highly valuable information and intellectual property.

Enjoy the report!

Pierluigi Paganini

(Security Affairs –  Cyber espionage,Putter Panda)  


facebook linkedin twitter

China CrowdStrike cyber espionage Hacking intellectual properties PLA Putter Panda RAT spear phishing Unit 61486

you might also like

Pierluigi Paganini July 09, 2025
Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates
Read more
Pierluigi Paganini July 09, 2025
Hackers weaponize Shellter red teaming tool to spread infostealers
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

    Malware / July 09, 2025

    Hackers weaponize Shellter red teaming tool to spread infostealers

    Malware / July 09, 2025

    Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

    Security / July 08, 2025

    Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

    Intelligence / July 08, 2025

    U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 08, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT