{ "id": "a5b0fedb-b3a3-4a3b-95c6-ebad7f7535a4", "created_at": "2026-04-06T00:17:08.495118Z", "updated_at": "2026-04-10T03:35:55.944753Z", "deleted_at": null, "sha1_hash": "34f5ef6bd7002510efde5ca70cfff470115003cf", "title": "SharpPanda APT Expands Arsenal Against G20 Nations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 939108, "plain_text": "SharpPanda APT Expands Arsenal Against G20 Nations\r\nPublished: 2023-06-01 · Archived: 2026-04-05 15:18:33 UTC\r\nCyble analyzes SharpPanda, a highly sophisticated APT group utilizing spear-phishing tactics to launch\r\ncyberattacks on G20 Nation officials.\r\nThreat Actors Utilize Undetected Loaders for Stealthy Attacks\r\nSharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at\r\nleast 2018. The APT group utilizes spear-phishing techniques to obtain initial access, employing a combination of\r\noutdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor\r\nmalware. This backdoor enables Threat Actors (TAs) to exfiltrate system information, files, and other sensitive\r\ndata from the targeted victim’s machine.\r\nCyble Research and Intelligence Labs (CRIL) recently observed an ongoing campaign by SharpPanda APT.\r\nPreviously, this APT group has been observed targeting government officials, particularly in Southeast Asian\r\ncountries. This latest campaign specifically targets high-level government officials from G20 nations.\r\nWorld's Best AI-Native Threat Intelligence\r\nThe G20, or Group of Twenty, is an international forum comprising 19 countries and the European Union (EU).\r\nEstablished in 1999, its primary objective is to foster global economic cooperation and address key challenges\r\nimpacting the worldwide economy.\r\nMember countries of the G20 include Argentina, Australia, Brazil, Canada, China, France, Germany, India,\r\nIndonesia, Italy, Japan, Mexico, Russia, Saudi Arabia, South Africa, South Korea, Turkey, the United Kingdom,\r\nand the United States. Together, these nations represent a diverse range of economies, constituting a significant\r\nshare of global GDP and population. The G20 holds annual summits where leaders convene to discuss and\r\ncoordinate security, economic, and financial policies.\r\nhttps://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/\r\nPage 1 of 8\n\nIn its latest campaign, the SharpPanda APT group employs a forged document linked to G7 to target various\r\ngovernments within the G20 forum.\r\nThe delivery mechanism of the SharpPanda APT attack via a spam email is illustrated in the figure below.\r\nFigure 1 – Infection chain\r\nTechnical Details\r\nInitial Infection\r\nThe infection process initiates through a spam email comprising an attached MS Office document named\r\n“[FINAL] Hiroshima Action Statement for Resilient Global Food Security_trackchanged.docx.” These emails,\r\nwith the subject line “[Sending Finalized Text] G7+Partners FASS Meeting,” are distributed to multiple\r\nemployees within government entities across G20 countries, as shown in the figure below.\r\nFigure 2 – Spam email containing malicious doc attachment\r\nhttps://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/\r\nPage 2 of 8\n\nThe emails contain weaponized versions of seemingly genuine official documents, which employ the remote\r\ntemplate injection method to retrieve the next stage of the malware from the TA’s Command-and-Control (C\u0026C)\r\nserver. The attached document in the spam email is shown below.\r\nFigure 3 – Opened document attachment from spam email\r\nUpon opening the document, it initiates the download of a new payload from the attacker’s remote server\r\n(hxxp[:]//13[.]236[.]189[.]80:8000/res/translate[.]res), which is RTF file serving as the next-level payload.\r\nFigure 4 – Payload URL present inside the XML file of the malicious document\r\nThe RTF file is weaponized using a tool called RoyalRoad. This tool enables the TAs to create customized\r\ndocuments containing embedded objects that exploit vulnerabilities in Microsoft Word’s Equation Editor.\r\nRoyalRoad leverages a specific set of vulnerabilities, including CVE-2018-0802, CVE-2018-0798, and CVE-2017-11882, within the Equation Editor of Microsoft Office. The TAs integrate anti-analysis and anti-debugging\r\ntechniques into their loaders to avoid being detected while also utilizing the older Equation Editor exploits.\r\nThe RTF file includes both an encrypted payload and shellcode. Once the RTF file is executed, it proceeds to\r\ndecrypt and drops an embedded payload, which is a DLL file saved under the name “c6gt.b” in the %temp%\r\ndirectory.\r\nhttps://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/\r\nPage 3 of 8\n\nAfter decryption, the shellcode facilitates the establishment of a persistence mechanism. It achieves this by\r\ncreating a scheduled task entry, which executes the export function “StartA” from the DLL “c6gt.b” using\r\nrundll32.exe on a daily basis.\r\nThe figure below illustrates the presence of embedded content within the RTF document.\r\nFigure 5 – Embedded payload in RTF file\r\nOnce the persistence is established, the RTF file proceeds to execute the downloaded DLL payload by utilizing the\r\n“rundll32.exe” command as follows:\r\nrundll32.exe C:\\Users\u003cAdmin\u003e\\AppData\\Local\\Temp\\c6gt.b StartA\r\nDLL Downloader (“c6gt.b”)\r\nThe DLL file’s original name is “Downloader.dll.” It contains four export functions, as depicted below.\r\nhttps://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/\r\nPage 4 of 8\n\nFigure 6 – Export functions of the DLL loader\r\nWhen the loader is executed through rundll32.exe, it collects various data from the victim’s computer. This\r\nincludes the hostname, operating system name, OS version, username, Internet information, as well as the\r\npresence of any installed anti-virus software on the machine.\r\nSubsequently, the loader encrypts the collected information using RC4 encryption with the key “xkYgv127” and\r\nencodes it using base64. The encrypted data is then exfiltrated using the below C\u0026C URL:\r\nhxxps://13[.]236[.]189[.]80:8001/G0AnyWhere_up[.]jsp?Data=[redacted]\r\nThe figure below illustrates the exfiltrated data sent to the C\u0026C server, as well as the decrypted/decoded stolen\r\ninformation obtained from the victim’s machine.\r\nFigure 7 – Exfiltrated data to C\u0026C server\r\nhttps://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/\r\nPage 5 of 8\n\nFinal Payload\r\nOnce the victim’s information is sent to the remote server, the TA checks the information. If they deem the\r\nvictim’s machine to be intriguing, the C\u0026C server responds with the next stage executable. During the final phase\r\nof the infection chain, the malicious loader in the SharpPanda APT campaign is specifically designed to download\r\na backdoor module. However, during our analysis, no response was received from the remote server.\r\nIn previous SharpPanda APT campaigns, the loader establishes a connection with a C\u0026C server in the final stage\r\nof the attack. Subsequently, it downloads and executes a malicious backdoor.\r\nWith its extensive capabilities, this backdoor possesses the ability to perform a variety of operations, including:\r\nCapture screenshots of victims’ system\r\nObtain information about processes and services running on the machine\r\nCreate or terminate processes\r\nDelete/Create/Rename/Read/Write files and retrieve file attributes\r\nRetrieve TCP/UDP tables\r\nRetrieve information about registry keys\r\nObtain titles of all top-level windows\r\nTrigger a shutdown of the targeted computer\r\nGather computer-specific information such as computer name, username, gateway address, network\r\nadapter details, Windows version, and user type\r\nConclusion\r\nThe SharpPanda APT group is comprised of exceptionally sophisticated cyber-TAs who execute targeted and\r\nextended attacks against specific targets, including governments, organizations, and industries, with the objectives\r\nof spying, disruption, or monetary gain. SharpPanda has been associated with multiple cyber espionage\r\ncampaigns, employing strategies such as spear-phishing, manipulation through social engineering, and exploiting\r\nzero-day vulnerabilities to gain illicit access to networks.\r\nPreviously, this group has been observed targeting government officials, particularly in Southeast Asian countries.\r\nHowever, as evidenced in this recent campaign, their focus has shifted to high-level government officials from\r\nG20 countries in Europe, North America, and South Asia. The APT group consistently adapts its techniques and\r\nincorporates new tools into its arsenal as it evolves.\r\nCRIL actively monitors the latest APT attacks, phishing attempts, and circulating malware strains, consistently\r\nreleasing informative blog posts that offer valuable insights and practical guidance to safeguard users against these\r\nwidely recognized attacks.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices as mentioned below: \r\nhttps://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/\r\nPage 6 of 8\n\nAvoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, torrent sites, etc., mainly contains such malware.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices.\r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.\r\nEducate employees on protecting themselves from threats like phishing/untrusted URLs.\r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.\r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.\r\nEnable Data Loss Prevention (DLP) Solutions on the employees’ systems.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Technique Name \r\nInitial Access T1566 Spear-phishing Attachment\r\nExecution \r\nT1204 \r\nT1203\r\nUser Execution\r\nExploitation for Client Execution\r\nPersistence T1053 Scheduled Task\r\nDefense Evasion\r\nT1497\r\nT1027\r\nVirtualization/Sandbox Evasion\r\nObfuscated Files or Information\r\nDiscovery   \r\nT1082\r\nT1518\r\nT1016\r\nSystem Information Discovery\r\nSecurity Software Discovery\r\nSystem Network Configuration\r\nCollection T1006 Data from Local System\r\nCommand And\r\nControl\r\nT1065\r\nT1071\r\nT1105\r\nUncommonly Used Port\r\nApplication Layer Protocol\r\nIngress Tool Transfer\r\nIndicators Of Compromise\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\nf39442edc4a96ce729e50f66901263e1\r\n734b1cd163937e9509ea616f5f7ff8870f7be8e5\r\n1fb22c38c781495018deda70af49bda17269203547620c140ee9eee68cecc016\r\nMD5\r\nSHA1\r\nSHA256\r\nSpam email\r\n   \r\nhttps://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/\r\nPage 7 of 8\n\nea889308acb4249af92807cc7d70f084\r\n92c8f9ea9b6555e1b9c42cd7302f7caf62eb83e6\r\n57b64a1ef1b04819ca9473e1bb74e1cf4be76b89b144e030dc1ef48f446ff95b\r\nMD5\r\nSHA1\r\nSHA256\r\nDocument\r\nattachment  \r\n92d994be99ea43c121ac4f4ddfacbf75\r\nf14afd2856dab6183150f6e269f5bb6f4a2e3f50\r\n180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69\r\nMD5\r\nSHA1\r\nSHA256\r\nRTF\r\ndocument  \r\n09bf850be5da44a1c3629a1f62813a83\r\na4e89d1f060e4dfd5f0fd4e7ba8be96967b39ac7\r\n21f173a347ed111ce67e4c0f2c0bd4ee34bb7ca765da03635ca5c0df394cd7e6\r\nMD5\r\nSHA1\r\nSHA256\r\nDLL loader\r\n \r\nhxxp[:]//13[.]236[.]189[.]80:8000/res/translate[.]res URL\r\nRTF\r\npayload\r\ndownload\r\n13[.]236[.]189[.]80:8000 IP: Port C\u0026C\r\nSource: https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/\r\nhttps://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/" ], "report_names": [ "sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8a3bd03a-f69b-455b-b88b-3842a3528bfd", "created_at": "2022-10-25T16:07:24.178007Z", "updated_at": "2026-04-10T02:00:04.89066Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon", "SharpPanda" ], "source_name": "ETDA:SharpPanda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "RoyalRoad", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e7ef34b6-e7b6-46f3-8dd8-2708c1659cd6", "created_at": "2023-11-08T02:00:07.107758Z", "updated_at": "2026-04-10T02:00:03.415268Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon" ], "source_name": "MISPGALAXY:SharpPanda", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434628, "ts_updated_at": 1775792155, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/34f5ef6bd7002510efde5ca70cfff470115003cf.pdf", "text": "https://archive.orkl.eu/34f5ef6bd7002510efde5ca70cfff470115003cf.txt", "img": "https://archive.orkl.eu/34f5ef6bd7002510efde5ca70cfff470115003cf.jpg" } }