{ "id": "9560fd9d-b689-4837-ba50-60506820c271", "created_at": "2026-04-06T00:14:44.883996Z", "updated_at": "2026-04-10T13:11:50.898187Z", "deleted_at": null, "sha1_hash": "1a6cccdc1ee9943968dcc5b6ee5dafd3d2d5dd74", "title": "Dynamite Panda APT Group - Brandefense", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 538697, "plain_text": "Dynamite Panda APT Group - Brandefense\r\nPublished: 2022-08-08 · Archived: 2026-04-05 19:46:08 UTC\r\nThreat Group ID\r\nCountry  \r\nSponsor State-sponsored, PLA Navy\r\nFirst Seen 2009\r\nMotivation Information theft \u0026 Espionage\r\nMethods Flash 0-days, Malware, Phishing Email\r\nThe threat group APT18, operating since 2009, is referenced by various security providers with the following\r\nnames.\r\nAPT18 (Mandiant)\r\nWekby (Palo Alto)\r\nDynamite Panda (CrowdStrike)\r\nScandium (Microsoft)\r\nAlthough not sure, we thought the APT18 might be related to Night Dragon and/or Covert Grove groups.\r\nVision, Mission, and Motivation\r\nOperations conducted by the Chinese state-sponsored threat actor APT18 are supported by the People’s Liberation\r\nArmy Navy (PLA Navy) and have been active globally since 2009.\r\nAPT18 has been active for years and targets the health, telecommunications, defense, high technology sectors, and\r\nhuman rights groups. It is also known that the group engages in information theft and espionage activities from the\r\ntargeted sectors.\r\nTargeted Countries\r\nAPT18 has focused its activities on the United States (USA).\r\nhttps://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nPage 1 of 10\n\nFigure 1: Dynamite Panda (APT18) APT Group Targeted Countries\r\nTargeted Industries\r\nAPT18 ran a Community Health Systems campaign that resulted in a data breach. Turning to medical espionage,\r\nAPT18 seized patient data to target intelligence on medical device development.\r\nAPT18 has campaigned for the telecommunications, defense, and high-tech industries serving the United States.\r\nAPT18 used the Flash 0-day exploit and HTTPBrowser malware developed by the HackingTeam technology\r\ncompany in these campaigns.\r\nOperations\r\n2014\r\nCommunity Health Systems Data Breach\r\nAPT18 has managed to steal information from vulnerable health systems such as patient information, medical\r\ndevice information, and intellectual property rights that could be used to achieve high international standards in\r\nvarious industries and for China’s profit. Among the information obtained from the health systems, it was\r\nannounced that the identity information of 4.5 million patients was seized by the attackers and the production of\r\nmedical devices.\r\nhttps://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nPage 2 of 10\n\n2015-16\r\nPhishing Campaign for Organizations in the United States\r\nAPT18 has carried out attacks against many US-based organizations where Flash 0-day exploit, HTTPBrowser,\r\nand Pisloader malware are distributed via phishing emails and URLs.\r\nFigure 2: An example of an APT18 phishing email using the CVE-2015-5119 vulnerability\r\nMitre ATT\u0026CK Threat Matrix\r\nIt defines the techniques, tactics, and procedures identified in attacks by the APT18 threat group.\r\nTactic\r\nID\r\nTactic Name\r\nTechnique\r\nID\r\nTechnique Name\r\nTA0001 Initial Access\r\nT1133\r\nT1566\r\nExternal Remote Services\r\nPhishing\r\nTA0002 Execution\r\nT1059.003\r\nT1053.002\r\nCommand and Scripting Interpreter:\r\nWindows Command Shell\r\nScheduled Task/Job: At\r\nTA0003 Persistence T1547 Boot or Logon Autostart Execution\r\nhttps://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nPage 3 of 10\n\nT1078 Valid Accounts\r\nTA0005 Defense Evasion\r\nT1070.004\r\nT1027\r\nIndicator Removal on Host: File Deletion\r\nObfuscated Files or Information\r\nTA0007 Discovery\r\nT1083\r\nT1082\r\nFile and Directory Discovery\r\nSystem Information Discovery\r\nTA0011\r\nCommand and\r\nControl\r\nT1071.001\r\nT1071.004\r\nT1105\r\nApplication Layer Protocol: Web Protocols\r\nApplication Layer Protocol: DNS\r\nIngress Tool Transfer\r\nExternal Remote Services\r\nPhishing credentials are the next best option when APT18 fails its malware campaigns. APT18 uses these\r\ncredentials against resources such as Open Terminal Service / RDP, Web / SSL VPN, and Citrix/Moka5/VNC that\r\nprovide remote network access.\r\nPhishing\r\nAPT18 used phishing emails containing malicious URL links with the theme “Flash Update” in some of its\r\ncampaigns.\r\nCommand and Scripting Interpreter: Windows Command Shell\r\nAPT18 takes advantage of the Windows Command Shell (cmd.exe) feature to execute commands on the target\r\nmachine. For example;\r\ncmd.exe /c reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v lsm /t reg_sz /d\r\n“%appdata%\\lsm.exe” /f\r\nScheduled Task/Job: At\r\nThe threat actor used scheduled tasks via the at.exe application to move horizontally within the target\r\ninfrastructure. As part of an example scenario, two files are created for the job at approximately the same time, as\r\nfollows.\r\nC:\\Windows\\System32\\Tasks\\At1\r\nC:\\Windows\\Tasks\\At1.job\r\nhttps://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nPage 4 of 10\n\nThe first file is an XML file that is read and can be opened and viewed in a text editor to use the scheduled task.\r\nThe second file is binary.\r\nBoot or Logon Autostart Execution\r\nAPT18 uses the following registry key to ensure persistence on the target system.\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nWhen the first stage malware (dropper) runs, the name of the executable file that will be used to provide\r\npersistence is written to this registry path.\r\nFigure 3: Run registry key record used for persistence\r\nValid Accounts\r\nAPT18 uses compromised account information to access services that provide remote network access. Threat\r\nactors usually obtain this account information through phishing attacks or data leaked from data-breached\r\nsystems.\r\nIndicator Removal on Host: File Deletion\r\nTools and scripts to be run by tasks scheduled by APT18 are deleted from the target system. However, even if it\r\ndeletes after the used files, the remnants of the functionality remain on the target system, reducing the chances of\r\nthe threat actor being hidden.\r\nObfuscated Files or Information\r\nAPT18 has hidden the additional payload data contained in the Pisloader malware used in its campaigns with the\r\nReturn-Oriented-Programming (ROP) technique. This process involves using garbage assembly instructions that\r\nwill not affect the program flow and PUSH/RET assembly instructions to navigate to the malicious code location\r\nthat will run.\r\nhttps://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nPage 5 of 10\n\nFigure 4: Code fragment using ROP technique to hide payload\r\nFile and Directory Discovery\r\nThe Pisloader malware used by APT18 supports a command called list. This command can list file information for\r\nspecific directories. For example, listing the contents of the C:\\ directory will result in an output like the one\r\nhttps://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nPage 6 of 10\n\nbelow.\r\n[+] Sending Command: list C:\\ | Encoded: CNRUXG5BAIM5FY\r\n[+] Raw Data Received: QKTUMGAGLAGB6CIUTFMN4WG3DFFZBGS3T4GIYDCNJPGAZS6MRW\r\n[+] Raw Data Received: EKNPMGAGL0EAYTIORUGA5DKN34GB6DEMS6\r\n[+] Raw Data Received: RKMAMGAGLAGF6GC5LUN5SXQZLDFZRGC5D4GIYDAOJPGA3C6MJQ\r\n[+] Raw Data Received: NMSIMGAGL0EAZDCORUGI5DEMD4GI2HYMZSLY\r\n[+] Raw Data Received: OHRWMGAGLAGB6EE33POR6DEMBRGUXTAMZPGI3CAMJWHIZDIORQ\r\n[+] Raw Data Received: DPDUMGAGL0GJ6DA7BSGJPA\r\n[+] Raw Data Received: WIKGMGAGLAGF6GE33PORWWO4T4GIYDCNBPGA3C6MRYEAYDAORS\r\n* Truncated*\r\n[+] Decoded Data Received: 0|$Recycle.Bin|2015/03/26 14:40:57|0|22^1|autoexec.bat|2009/06/10\r\n21:42:20|24|32^0|Boot|2015/03/26 16:24:02|0|22^1|bootmgr|2014/06/28\r\n00:21:34|391640|39^1|BOOTSECT.BAK|2015/03/26 16:35:39|8192|39^1|config.sys|2009/06/10\r\n21:42:20|10|32^0|Documents and Settings|2009/07/14 04:53:55|0|9238^1|Example.log|2016/02/09\r\n20:17:55|0|32^1|pagefile.sys|2016/04/25 14:09:20|1660411904|38^0|PerfLogs|2009/07/14\r\n02:37:05|0|16^0|Program Files|2016/02/29 15:59:43|0|17^0|ProgramData|2016/02/02\r\n17:28:04|0|8210^0|Python27|2016/02/25 16:39:37|0|16^0|Recovery|2015/03/26 14:39:57|0|8214^0|System Volume\r\nInformation|2016/02/29 16:00:19|0|22^0|Users|2015/03/26 14:39:58|0|17^0|Windows|2016/02/12\r\n10:20:21|0|16^^end^\r\nSystem Information Discovery\r\nThe Pisloader malware used by APT18 supports a command called sifo. This command can collect system\r\ninformation from the target machine. For example;\r\n[+] Sending Command: sifo | Encoded: CONUWM3Y\r\n[+] Raw Data Received: FUBWMGAGIANQ6TCNZSFYYTMLRRFYYTKMZGMM6VOSKOFVGEUTCW\r\n[+] Raw Data Received: PGHRMGAGIBGJHEWSKPJNICAW2KN5ZWQICHOJ2W46TXMVUWOXJG\r\n[+] Raw Data Received: MMAZMGAGI0N46TMLBRFQZTE\r\n[+] Decoded Data Received: l=172.16.1.153\u0026c=WIN-LJLV2NKIOKP [Josh Grunzweig]\u0026o=6,1,32\r\nApplication Layer Protocol: Web Protocols \u0026 DNS\r\nAPT18 can use HTTP and DNS protocols to communicate with C2 servers while extracting the captured\r\ninformation from the target system. DNS as C2 allows Pisloader malware to circumvent certain security products\r\nhttps://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nPage 7 of 10\n\nthat do not correctly control this traffic.\r\nFigure 5: DNS query for TXT record by malware\r\nThe DNS TXT record is used to exchange commands to be executed on the target system between the malware\r\nand C2.\r\nFigure 6: An example TXT response sent by C2\r\nIngress Tool Transfer\r\nThe Pisloader malware used by APT18 supports a command called upload. The threat actor can install additional\r\nfiles on the target machine with this command.\r\nhttps://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nPage 8 of 10\n\nFigure 7: Attack Lifecycle\r\nConclusion \u0026 Recommendations\r\nNow you have detailed information about the toolkits, malware, techniques, tactics and procedures, targeted\r\ncountries, and sectors used by the Chinese state-backed threat actor APT18 group in its attacks. By checking\r\nwhether you are among the potential targets of the APT18 threat actor against the information contained in the\r\nreport, it is intended to provide scope for what types of interactions you should look for, from gaining initial\r\naccess to actions taken on compromised systems.\r\nNetwork Intrusion Prevention systems, which use network signatures to identify traffic for attacking\r\nmalware, can help reduce network-level malware activities.\r\nYou can filter DNS requests for unknown, untrusted, or known bad domains and resources. Resolving DNS\r\nrequests can also detect attempts to hide data within DNS packets.\r\nYou might consider blocking code execution on a system through application control and/or script\r\nblocking.\r\nhttps://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nPage 9 of 10\n\nDisable or block any remotely available services that may be unnecessary.\r\nYou can restrict access to remote services through VPN and other remote access systems.\r\nConsider using strong two-factor or multi-factor authentication to reduce the threat actor’s ability to use\r\nstolen credentials.\r\nYou can prevent direct remote access to internal systems using proxy, gateway, and firewalls.\r\nYou can monitor the commands and arguments executed for actions that can be used to unlink, rename, or\r\ndelete files.\r\nSource: https://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nhttps://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://brandefense.io/blog/apt-groups/dynamite-panda-apt-group/" ], "report_names": [ "dynamite-panda-apt-group" ], "threat_actors": [ { "id": "ea844ee6-eb12-42c0-8426-11395fe81e6f", "created_at": "2022-10-25T15:50:23.300796Z", "updated_at": "2026-04-10T02:00:05.32389Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "Night Dragon" ], "source_name": "MITRE:Night Dragon", "tools": [ "at", "gsecdump", "zwShell", "PsExec", "ASPXSpy", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "09a8f8fe-e907-47b4-8709-a97717dde3cc", "created_at": "2022-10-25T16:07:23.90252Z", "updated_at": "2026-04-10T02:00:04.783553Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "G0014" ], "source_name": "ETDA:Night Dragon", "tools": [ "ASPXSpy", "ASPXTool", "Cain \u0026 Abel", "gsecdump", "zwShell" ], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "020794ec-7315-47de-818c-2032c362fd15", "created_at": "2023-01-06T13:46:38.306576Z", "updated_at": "2026-04-10T02:00:02.920647Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "G0014" ], "source_name": "MISPGALAXY:Night Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac8fb39-1ad4-407c-bf51-249751a575ba", "created_at": "2023-01-06T13:46:38.337728Z", "updated_at": "2026-04-10T02:00:02.933527Z", "deleted_at": null, "main_name": "SAMURAI PANDA", "aliases": [ "PLA Navy", "Wisp Team" ], "source_name": "MISPGALAXY:SAMURAI PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434484, "ts_updated_at": 1775826710, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a6cccdc1ee9943968dcc5b6ee5dafd3d2d5dd74.pdf", "text": "https://archive.orkl.eu/1a6cccdc1ee9943968dcc5b6ee5dafd3d2d5dd74.txt", "img": "https://archive.orkl.eu/1a6cccdc1ee9943968dcc5b6ee5dafd3d2d5dd74.jpg" } }