The Panda Emissary APT specialized in defence aerospace projects

The Panda Emissary group extensively uses long-running strategic web compromises and relies on whitelists to syphon defence aerospace projects from victims.

An alleged Chinese APT group dubbed Panda Emissary (also known as TG-3390) is targeting high-profile governments and organisations searching for defense aerospace projects.

Researchers at Dell discovered that the Panda Emissary group used Watering hole attacks as the attack vector, the APT group it likes to compromise websites popular with a target organisation’s personnel.

“The group extensively uses long-running [watering holes], and relies on whitelists to deliver payloads to select victims,” Dell’s counter-threat unit wrote in a report.”

The group exploits old vulnerabilities which aren’t yet patched by victims, researchers at Dell observed that the group mainly exploited Java flaws, including CVE-2011-3544 and CVE-2010-0738.

According to the experts, the Panda Emissary group has already compromised more than 100 websites. It is interesting to note that watering holes used by the hackers include a whitelist to run surgical attacks by ensuring that only staff from a target organisation are infected remaining under the radar for a long time.

Another peculiarity of the Panda Emissary group is the use of custom Microsoft Exchange backdoors and credential logger. The Panda Emissary used custom tools OwaAuth web shell and ASPXTool, and also popular criminal hacking tools PlugX RAT, HttpBrowser, and China Chopper.

“After the initial compromise, TG-3390 delivers the HttpBrowser backdoor to its victims. The threat actors then move quickly to compromise Microsoft Exchange servers and to gain complete control of the target environment.” “The threat actors are adept at identifying key data stores and selectively exfiltrating all of the high-value information associated with their goal.”

“The group extensively uses long-running strategic web compromises (SWCs), and relies on whitelists to deliver payloads to select victims. In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger.”

The Panda Emissary group targeted large manufacturing companies supplying defense organizations, energy firms, embassies in Washington, DC representing countries in the Middle East, Europe, and Asia, NGOs particularly focused on international relations and defense and of course government organizations.


“CTU researchers have discovered numerous details about TG-3390 operations, including how the adversaries explore a network, move laterally, and exfiltrate data. As shown in Figure 11, after compromising an initial victim’s system (patient 0), the threat actors use the Baidu search engine to search for the victim’s organization name. They then identify the Exchange server and attempt to install the OwaAuth web shell. If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail, the adversaries identify other externally accessible servers and deploy ChinaChopper web shells. Within six hours of entering the environment, the threat actors compromised multiple systems and stole credentials for the entire domain.”

The hackers belonging to the Panda Emissary group only syphon data related to specific U.S. defense projects, the report doesn’t s provide further information on the motivation behind the attacks. It is not clear if the hacking crew is state-sponsored team or a hacking-for-hire group.

“CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base, an interest in U.S. military capability, or both,” states Dell. “The adversary’s end goal is to exfiltrate, not infiltrate. After gaining access to a target network in one intrusion analysed by CTU researchers, TG-3390 actors identified and exfiltrated data for specific projects run by the target organisation.”

It also has access to a criminal development team focused on building hacking tools and is proficient at hiding malware and does not bother with reconnaissance, instead of waiting to gain a foothold in target organisations.

Researchers from Dell speculate on the Chinese origin of the hacking team, they observed local working hours and the use of native language tools, but they cannot exclude that this information could be the result of a false-flag operation.

Enjoy the report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Panda Emissary, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Microsoft Internet Explorer and Twilio Authy bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Internet Explorer and Twilio Authy bugs…

4 hours ago

China-linked APT group uses new Macma macOS backdoor version

China-linked APT group Daggerfly (aka Evasive Panda, Bronze Highland) Evasive Panda has been spotted using an…

14 hours ago

FrostyGoop ICS malware targets Ukraine

In April 2024, Dragos researchers spotted the malware FrostyGoop that interacts with Industrial Control Systems…

1 day ago

Hackers abused swap files in e-skimming attacks on Magento sites

Threat actors abused swap files in compromised Magento websites to hide credit card skimmer and…

1 day ago

US Gov sanctioned key members of the Cyber Army of Russia Reborn hacktivists group

The US government sanctioned two Russian hacktivists for their cyberattacks targeting critical infrastructure, including breaches…

2 days ago

EvilVideo, a Telegram Android zero-day allowed sending malicious APKs disguised as videos

EvilVideo is a zero-day in the Telegram App for Android that allowed attackers to send…

2 days ago

This website uses cookies.