The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

PolySwarm 2022 Recap - Threat Actor Activity Highlights: China

Dec 27, 2022 11:35:41 AM / by PolySwarm Tech Team


Executive Summary

This Threat Bulletin is part of PolySwarm’s 2022 Recap series. This report provides highlights of activity perpetrated by China-based threat actors in 2022.

Key Takeaways

  • This report highlights activity perpetrated by China-based threat actors in 2022.
  • Threat actors featured in this report include Keyhole Panda, Stone Panda, Deep Panda, Twisted Panda, Vixen Panda, Pirate Panda, Aquatic Panda, Wicked Panda, Mustang Panda, Emissary Panda, Kryptonite Panda, Lotus Panda, TA410, Red Menshen, Scarab, Aoquin Dragon, and Lotus Blossom.
  • PolySwarm tracked malware associated with multiple China nexus threat actors in 2022.
2022 China Nexus Threat Actor Activity

This report provides highlights of Chinese threat actor activity in 2022, with a focus on espionage and sabotage rather than criminal activity. Due to the number of APT groups operating from within or on behalf of China, we have limited the scope of this report to cover activity perpetrated by some of the more well-known or recently identified groups.

Keyhole Panda

Keyhole Panda, also known as APT5 and Manganese, is a China nexus APT group known to target telecommunications and technology companies primarily in Southeast Asia.

  • In December 2022, Keyhole Panda was observed using a Citrix 0day (CVE-2022-27518) that allows an unauthenticated, remote threat actor to perform RCE on the affected device.
Stone Panda

Stone Panda, also known as APT10, Cicada, and Potassium, is a China nexus APT group active since at least 2009.

  • In early 2022, Stone Panda was observed conducting an espionage campaign targeting government organizations and NGOs worldwide. 
  • In mid-2022, Stone Panda targeted media and government organizations in Japan using Lodeinfo malware.
Deep Panda

Deep Panda, also known as APT19, Codoso, Black Vine, Shell Crew, and Pupa, is a China nexus APT group that targets financial, technology, and nonprofit entities.

  • In early 2022, Deep Panda used the Log4shell exploit to install digitally signed Fire Chili rootkits. The attacks seemed to be opportunistic rather than targeted, as the campaign hit multiple sectors in several countries with no clear pattern.
Twisted Panda

Twisted Panda is a China nexus APT group that may be a subset or affiliate of Stone Panda.

  • In early 2022, Twisted Panda targeted two Russian defense research institutes and another entity in Belarus.
Vixen Panda

Vixen Panda, also known as Mirage, Playful Dragon, Ke3Chang, and APT15, is a China nexus APT group. They have been known to target an entity in the UK government’s supply chain and other targets in the trade, financial, energy, and defense sectors. They are known to leverage Kerberos golden tickets.

  • In 2022, Vixen Panda was apparently still recovering from a late 2021 disruption of their infrastructure by the Microsoft Digital Crimes unit.
Pirate Panda

Pirate Panda, also known as KeyBoy, Tropic Trooper, and Red Orthrus, is a China nexus APT group known to target Taiwan, Hong Kong, and the Philippines. The group has been active since at least 2012 and has targeted government entities and heavy industries.

  • In mid-2022, Pirate Panda used a Nimbda loader and Yahoyah trojan in a campaign leveraging an SMS bomber.
Aquatic Panda

Aquatic Panda, also known as Earth Lusca, Chromium, Bronze University, and Fishmonger, is a China nexus threat actor group that targets academic, telecommunications, religious, and civil society entities. They have also been observed targeting cryptocurrency exchanges.

  • In 2022, Aquatic Panda was observed targeting high-value targets in both the public and private sectors, including government, education, religious, human rights, medical research, and media entities.
Wicked Panda

Wicked Panda, also known as Axiom, Winnti, Barium, APT41, Bronze Atlas, Earth Baku, and Amoeba, is a well-known and sophisticated Chinese state-sponsored APT group specializing in espionage and financially motivated activity. Active since at least 2009, Wicked Panda’s roots seem to have emerged in cybercrime and later evolved into the group’s current form. It is unknown whether the Chinese government recruited them into the military or intelligence services or if they operate as contractors.

  • In early 2022, Wicked Panda was observed targeting US state governments in a campaign that began as early as mid-2021. 
  • In early 2022, Wicked Panda was observed using ShadowPad RAT in a campaign that appeared to be linked to PLA theater commands. 
  • In late 2022, Wicked Panda was observed using Spyder Loader to target government entities in Hong Kong with the goal of data exfiltration for espionage purposes. 
  • In early 2022, Earth Longzhi, thought to be a subgroup of Wicked Panda, was observed targeting multiple entities in the defense, aviation, insurance, and urban development verticals with a custom Cobalt Strike loader. 
  • In mid-2022, Sparkling Goblin, thought to be a subset or spinoff group of Wicked Panda, was observed using a new Linux variant of the SideWalk backdoor in an attack on a Hong Kong university.
Mustang Panda

Mustang Panda, also known as Earth Preta, Bronze President, HoneyMyte, and Red Lich, is a China nexus threat actor group active since at least 2017. Mustang Panda is known to target think tanks and NGOs with a particular interest in issues related to Mongolia. Based on industry reporting, Mustang Panda appears to be one of the most active Chinese APT groups for 2022.

  • In early 2022, Mustang Panda was observed using Hodur malware, a Korplug variant, to target research entities, ISPs, and European diplomatic missions. Mustang Panda used phishing attacks with documents following a Russia-Ukraine conflict theme as bait. The objective of this campaign was likely espionage. 
  • In early 2022, Mustang Panda targeted Russian officials in the city of Blagoveshchensk. The phishing emails used in the campaign claimed to be from the EU and contained malicious Windows executables.
  • In June 2022, Mustang Panda has observed targeting entities in Myanmar with a spearphishing campaign using politically related lures. The malware used in the campaign included PlugX, Toneins, Toneshell, and Pubload.
  • In late 2022, Mustang Panda has observed targeting entities in Europe and the APAC region, including Myanmar. The goal of this campaign appears to be espionage focusing on countries that may be allied with the West.
Emissary Panda

Emissary Panda, also known as APT27, GreedyTaotie, Red Phoenix, Iron Tiger, Lucky Mouse, and Bronze Union, is a China nexus APT group that focuses on espionage campaigns targeting foreign embassies. They attempt to obtain data on the defense, technology, and government verticals.

  • In mid-2022, Emissary Panda conducted a campaign targeting the chat application MiMi. In this campaign, they targeted Windows, Mac, and Linux users.
Kryptonite Panda

Kryptonite Panda, also known as APT40, Leviathan, Bronze Mohawk, Gadolinium, and Mudcarp, is a China nexus threat actor group targeting government and defense entities. The group has been active since at least 2014, targeting maritime industries, naval defense contractors, and related entities in the US and Western Europe.

  • Kryptonite Panda engaged in an espionage campaign, apparently seeking information about the South China Sea. The campaign targeted government entities and other organizations in Australia, Malaysia, and Europe. Kryptonite Panda used the ScanBox framework in this campaign.
Lotus Panda

Lotus Panda, known as Naikon, Override Panda, APT30, Spring Dragon, ST Group, Dragonfish, Bronze Elgin, Lotus Blossom, and Red Salamander, is a China nexus APT group known to target government and military entities in Southeast Asia. Their activity has been traced to PLA Unit 78020.

  • In early 2022, Lotus Panda resurfaced after a long period of no reported activity. In their most recent campaign, Lotus Panda targeted government organizations and other entities involved in foreign affairs, science, and technology across Southeast Asia. The campaign objective was long-term espionage and cyber intelligence operations.

TA410 is a Chinese threat actor group active since at least 2018. TA410 is thought to be loosely associated with APT10. They were previously observed targeting the US utility sector with a phishing campaign, as well as diplomatic organizations in the Middle East. They use the FlowCloud malware family. Industry researchers believe TA410 comprises three subgroups: FlowingFrog, LookingFrog, and JollyFrog.

  • Earlier this year, TA410 subgroup LookingFrog, also known as Witchetty, was observed targeting government entities in two Middle Eastern countries and the stock exchange of an African country. The threat actors leveraged Stegmap, a backdoor that uses steganography to hide malicious code within a bitmap image.
Red Menshen

Red Menshen, also known as Red Dev 18, is a China nexus threat actor group known to target telecommunications, government, education, and logistics entities. Most of their targets have been in the Middle East and Asia. They are known to use BPFDoor.

  • Earlier this year, Red Menshen was observed using BPFDoor to target telecommunications providers. BPFDoor is a surveillance tool that targets Linux based systems. Although the malware has been in the wild for at least five years, it is still difficult to detect.

Scarab is a China nexus threat actor group active as early as 2012. The group has targeted a small number of entities in the US, Russia, and Ukraine. They are known to use the Scieron back door.

  • In early 2022, Scarab has observed targeting entities in Ukraine. This is reportedly the first known activity involving Chinese threat actors targeting Ukraine since the beginning of the Russia-Ukraine conflict. In this campaign, Scarab used HeaderTip malware, a successor to the Scieron back door.
Aoquin Dragon

Aoquin Dragon is a recently identified China nexus APT group that has been active for about 10 years. They primarily target government, education, and telecommunications entities in Australia and Southeast Asia.

  • Industry researchers traced Aoquin Dragon’s activity back as far as 2013 and stated the group is still actively targeting entities in Southeast Asia and Australia. Aoquin Dragon used Mongall backdoor and a modified version of Heyoka in these campaigns.
Lotus Blossom

Lotus Blossom, also known as Billbug, is a China nexus threat actor group active since at least 2009. They are known to use the Hannotog and Sagerunex back doors.

  • In early 2022, Lotus Blossom was observed targeting a certificate authority and government and defense entities.
Tracking China Nexus Threat Actor Activity With PolySwarm

PolySwarm tracked malware associated with the following China nexus threat actors, both APT and criminal, in 2022:
  • Wicked Panda
  • Sparkling Goblin
  • Gelsemium
  • Gallium
  • DEV-0410
  • IronHusky
  • TA413
  • Antlion
  • Red Menshen
  • Earth Aughisky

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at for more information and IOCs of related samples in our data set.| Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, China, 2022 Recap, Asia, APAC

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts