ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Samurai Panda

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Samurai Panda

NamesSamurai Panda (CrowdStrike)
CountryChina China
SponsorState-sponsored, PLA Navy
MotivationInformation theft and espionage
First seen2009
Description(CrowdStrike) Samurai Panda is interesting in that their target selection tends to focus on Asia Pacific victims in Japan, the Republic of Korea, and other democratic Asian victims. Beginning in 2009, we’ve observed this actor conduct more than 40 unique campaigns that we’ve identified in the malware configurations’ campaign codes. These codes are often leveraged in the malware used by coordinated targeted attackers to differentiate victims that were successfully compromised from different target sets.

The implant delivered by Samurai Panda uses a typical installation process whereby they:
1. Leverage a spear-phish with an exploit to get control of the execution flow of the targeted application. This file “drops” an XOR-encoded payload that unpacks itself and a configuration file.
2. Next, the implant, which can perform in several different modes, typically will install itself as a service and then begin beaconing out to an adversary-controlled host.
3. If that command-and-control host is online, the malicious service will download and instantiate a backdoor that provides remote access to the attacker, who will see the infected host’s identification information as well as the campaign code.
ObservedSectors: Defense, Government.
Countries: Hong Kong, Japan, South Korea, UK, USA.
Tools usedFormerFirstRAT, IsSpace, PlugX, Poldat, Sykipot.

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: SaintBear, Lorec53
Next: SandCat

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]