ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > APT 5, Keyhole Panda

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: APT 5, Keyhole Panda

NamesAPT 5 (FireEye)
Keyhole Panda (CrowdStrike)
TEMP.Bottle (iSight)
Bronze Fleetwood (SecureWorks)
TG-2754 (SecureWorks)
Poisoned Flight (Kaspersky)
Manganese (Microsoft)
Mulberry Typhoon (Microsoft)
CountryChina China
MotivationInformation theft and espionage
First seen2007
Description(FireEye) We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia.

APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications.

APT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided.

In one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies.

There is some overlap with PittyTiger, Pitty Panda.
ObservedSectors: Defense, High-Tech, Industrial, Technology, Telecommunications.
Countries: Southeast Asia.
Tools usedLEOUNCIA.
Operations performedAug 2019A group of Chinese state-sponsored hackers is targeting enterprise VPN servers from Fortinet and Pulse Secure after details about security flaws in both products became public knowledge last month.

Last change to this card: 26 April 2023

Download this actor card in PDF or JSON format

Previous: APT 4, Maverick Panda, Wisp Team
Next: APT 6

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]