{ "id": "0043efa4-bfe6-4406-8c5e-df1b98b33361", "created_at": "2026-04-06T00:14:14.174948Z", "updated_at": "2026-04-10T03:32:06.696764Z", "deleted_at": null, "sha1_hash": "064952001496a4f058fcc789c7da803125fe26eb", "title": "Samurai Panda - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51489, "plain_text": "Samurai Panda - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-02 11:27:06 UTC\nHome \u003e List all groups \u003e Samurai Panda\n APT group: Samurai Panda\nNames Samurai Panda (CrowdStrike)\nCountry China\nSponsor State-sponsored, PLA Navy\nMotivation Information theft and espionage\nFirst seen 2009\nDescription\n(CrowdStrike) Samurai Panda is interesting in that their target selection tends to focus on Asia\nPacific victims in Japan, the Republic of Korea, and other democratic Asian victims.\nBeginning in 2009, we’ve observed this actor conduct more than 40 unique campaigns that\nwe’ve identified in the malware configurations’ campaign codes. These codes are often\nleveraged in the malware used by coordinated targeted attackers to differentiate victims that\nwere successfully compromised from different target sets.\nThe implant delivered by Samurai Panda uses a typical installation process whereby they:\n1. Leverage a spear-phish with an exploit to get control of the execution flow of the targeted\napplication. This file “drops” an XOR-encoded payload that unpacks itself and a configuration\nfile.\n2. Next, the implant, which can perform in several different modes, typically will install itself\nas a service and then begin beaconing out to an adversary-controlled host.\n3. If that command-and-control host is online, the malicious service will download and\ninstantiate a backdoor that provides remote access to the attacker, who will see the infected\nhost’s identification information as well as the campaign code.\nObserved\nSectors: Defense, Government.\nCountries: Hong Kong, Japan, South Korea, UK, USA.\nTools used FormerFirstRAT, IsSpace, PlugX, Poldat, Sykipot.\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=32e28369-30a3-4675-8e0a-04c91c1def98\nPage 1 of 2\n\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=32e28369-30a3-4675-8e0a-04c91c1def98\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=32e28369-30a3-4675-8e0a-04c91c1def98\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=32e28369-30a3-4675-8e0a-04c91c1def98" ], "report_names": [ "showcard.cgi?u=32e28369-30a3-4675-8e0a-04c91c1def98" ], "threat_actors": [ { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fda88fa-7c1f-4e84-b3c8-56f73f21aaf5", "created_at": "2022-10-25T16:07:24.147011Z", "updated_at": "2026-04-10T02:00:04.881289Z", "deleted_at": null, "main_name": "Samurai Panda", "aliases": [], "source_name": "ETDA:Samurai Panda", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Getkys", "IsSpace", "KABOB", "Kaba", "Korplug", "NfLog RAT", "PlugX", "Poldat", "RedDelta", "Sogu", "Sykipot", "TIGERPLUG", "TVT", "Thoper", "Wkysol", "Xamtrav", "Zlib", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "2ac8fb39-1ad4-407c-bf51-249751a575ba", "created_at": "2023-01-06T13:46:38.337728Z", "updated_at": "2026-04-10T02:00:02.933527Z", "deleted_at": null, "main_name": "SAMURAI PANDA", "aliases": [ "PLA Navy", "Wisp Team" ], "source_name": "MISPGALAXY:SAMURAI PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434454, "ts_updated_at": 1775791926, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/064952001496a4f058fcc789c7da803125fe26eb.pdf", "text": "https://archive.orkl.eu/064952001496a4f058fcc789c7da803125fe26eb.txt", "img": "https://archive.orkl.eu/064952001496a4f058fcc789c7da803125fe26eb.jpg" } }