{
	"id": "510eb008-09e5-4764-97cd-781f244725bf",
	"created_at": "2026-04-06T00:13:40.115479Z",
	"updated_at": "2026-04-10T03:35:17.254172Z",
	"deleted_at": null,
	"sha1_hash": "350bf38137d4b0b690be4c289fe98acde70a284d",
	"title": "Unveiling LIMINAL PANDA - Threats to Telecom Sector | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70423,
	"plain_text": "Unveiling LIMINAL PANDA - Threats to Telecom Sector |\r\nCrowdStrike\r\nBy Counter Adversary Operations\r\nArchived: 2026-04-05 18:26:25 UTC\r\nOn Tuesday, November 19, 2024, Adam Meyers, CrowdStrike Senior Vice President of Counter Adversary\r\nOperations, will testify in front of the U.S. Senate Judiciary Subcommittee on Privacy, Technology, and the Law on\r\nChinese cyber threats to critical infrastructure. Within his testimony, Adam will speak publicly for the first time\r\nabout a China-nexus state-sponsored actor that CrowdStrike Counter Adversary Operations tracks as LIMINAL\r\nPANDA.\r\nSince at least 2020, LIMINAL PANDA has targeted telecommunications entities using custom tools that enable\r\ncovert access, command and control (C2) and data exfiltration. The adversary demonstrates extensive knowledge\r\nof telecommunications networks, including understanding interconnections between providers. LIMINAL\r\nPANDA has used compromised telecom servers to initiate intrusions into further providers in other geographic\r\nregions. \r\nThe adversary conducts elements of their intrusion activity using protocols that support mobile\r\ntelecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2,\r\nand developing tooling to retrieve mobile subscriber information, call metadata and text messages (SMS). \r\nLIMINAL PANDA highly likely engages in targeted intrusion activity to support intelligence collection. This\r\nassessment is made with high confidence based on the adversary's identified target profile, likely mission\r\nobjectives and observed tactics, techniques and procedures (TTPs) — all of which suggest long-term clandestine\r\naccess requirements.\r\nThis blog provides an overview of CrowdStrike’s history of tracking LIMINAL PANDA, details the adversary’s\r\nkey traits, targets and tactics, and recommends guidance for organizations to defend against this threat.\r\nTracking and Identifying LIMINAL PANDA\r\nIn 2021, CrowdStrike attributed multiple telecommunications sector intrusions to the LightBasin activity cluster,\r\nwhich has consistently targeted telecom entities since at least 2016 using various custom tools. An extensive\r\nreview of this intrusion activity has determined some of the events documented in a previous blog post are\r\nattributable to a separate adversary now tracked as LIMINAL PANDA. This association resulted because multiple\r\nthreat actors were conducting malicious activity on a highly contested compromised network.\r\nCrowdStrike has updated the blog post to reflect activity now tracked as LIMINAL PANDA and provide\r\nadditional details and TTPs, including the adversary’s use of publicly available proxy tools during their intrusions.\r\nThis new attribution does not impact the technical analysis regarding LightBasin’s malware and TTPs described in\r\nthe original analysis.\r\nhttps://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/\r\nPage 1 of 4\n\nCrowdStrike continues to track all other LightBasin activity and associated malware families under the established\r\nactivity cluster name. Intelligence reporting, including updates to the LightBasin operational profile, has been\r\nreleased to CrowdStrike Falcon® Adversary Intelligence Premium subscribers. These updates provide accurate\r\ndetails on the actor’s target scope, TTPs and current malware attribution assessments.\r\nLIMINAL PANDA Tools, Tactics and Behaviors\r\nThe LIMINAL PANDA adversary targets telecom providers with various tools that enable covert access, C2 and\r\ndata exfiltration. In 2020 and 2021, LIMINAL PANDA likely targeted multiple telecommunications providers,\r\nusing access to these entities to compromise organizations.\r\nThe adversary demonstrates extensive knowledge of telecom networks, including understanding interconnections\r\nbetween providers and the protocols that support mobile telecommunications. LIMINAL PANDA emulates global\r\nsystem for mobile communications (GSM) protocols to enable C2 and develop tooling to retrieve mobile\r\nsubscriber information, call metadata and text messages.\r\nLIMINAL PANDA employs a combination of custom malware, publicly available tools and proxy software to\r\nroute C2 communications through different network segments. Table 1 lists the malware and tools associated with\r\neach actor.\r\nLIMINAL PANDA LightBasin\r\nPingPong SLAPSTICK\r\nCordScan BlindingDart\r\nSIGTRANslator DaleRAT\r\nTinyShell (publicly available tool) UnimeRAT\r\nFast Reverse Proxy (publicly available tool) DungeonKeeper\r\nMicrosocks Proxy (publicly available tool) SilentKeeper\r\nProxyChains (publicly available tool) ToxicShot\r\n  StealthProxy\r\n  BridgeTroll\r\n  cdr_xf\r\n  sun4me\r\n  win4me\r\n  STEELCORGI\r\n  LOGBLEACH\r\nhttps://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/\r\nPage 2 of 4\n\nLIMINAL PANDA conducts intrusion activity that poses a significant potential threat to telecommunications\r\nentities. The adversary targets these organizations to directly collect network telemetry and subscriber information\r\nor to breach other telecommunications entities by exploiting the industry’s interoperational connection\r\nrequirements. LIMINAL PANDA’s likely operational motivations — indicated by their development and\r\ndeployment of tooling specific to telecommunications technology — closely align with signals intelligence\r\n(SIGINT) collection operations for intelligence gathering, as opposed to establishing access for financial gain.\r\nLIMINAL PANDA has previously focused on telecommunications providers in southern Asia and Africa,\r\nsuggesting that their final targets likely reside in these regions; however, individuals roaming in these areas may\r\nalso be targeted depending on the compromised network’s configuration and LIMINAL PANDA’s current access.\r\nEqually, depending on their current collection requirements, the adversary could employ similar TTPs to target\r\ntelecoms in other regions.\r\nCrowdStrike Intelligence assesses LIMINAL PANDA’s activity aligns with China-nexus cyber operations. This\r\nassessment is made with low confidence based on the following factors, which do not strongly indicate attribution\r\non their own due to their non-exclusive nature:\r\nTargeting organizations operating in countries associated with China’s Belt and Road Initiative (BRI), a\r\nnational-level strategy seeking to establish economic opportunities aligned with Beijing’s prioritized\r\ninterests outlined in China’s 13th and 14th Five-Year Plans.\r\nUsing a Pinyin string (wuxianpinggu507) for SIGTRANslator’s XOR key and the password for some of\r\nLIMINAL PANDA’s remote proxy services. This Pinyin text translates to \"wireless evaluation 507\" or\r\n\"unlimited evaluation 507.\" \"Wireless evaluation\" is likely the correct translation, given that the malware is\r\nused to target telecommunications systems. This term is also similar to the domain wuxiapingg[.]ga, which\r\nwas previously hosted on a LIMINAL PANDA-associated IP address. Several other domain names that\r\noverlap with LIMINAL PANDA’s infrastructure also used Pinyin representations of Mandarin terms,\r\nfurther suggesting actors associated with the group’s infrastructure likely speak Chinese.\r\nUsing the domain name wuxiapingg[.]ga as delivery infrastructure and C2 for Cobalt Strike, a\r\ncommercially available remote access tool (RAT) that China-nexus actors frequently use.\r\nUsing Fast Reverse Proxy and the publicly available TinyShell backdoor, both of which have also been\r\nused by multiple Chinese adversaries, including SUNRISE PANDA and HORDE PANDA.\r\nUsing VPS infrastructure supplied by Vultr, a provider commonly — albeit not exclusively — used by\r\nChina-nexus adversaries and actors.\r\nRecommendations\r\nLIMINAL PANDA’s known intrusion activity has typically abused trust relationships between\r\ntelecommunications providers and gaps in security policies, allowing the adversary to access core infrastructure\r\nfrom external hosts.\r\nThese recommendations can be implemented to help protect against the activity described in this blog:\r\nDeploy an advanced, real-time endpoint protection and response (EDR) solution, such as CrowdStrike\r\nFalcon®, across the network environment, including on servers considered inaccessible from the public\r\nhttps://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/\r\nPage 3 of 4\n\ninternet.\r\nImplement complex password strategies — avoiding default or generic options — for SSH authentication\r\nor employ more secure methods such as SSH key authentication, particularly on servers that accept\r\nconnections from external organizations (e.g., eDNS servers).\r\nMinimize the number of publicly accessible services operating on servers that accept connections from\r\nexternal organizations to those required for organizational interoperation.\r\nEnforce internal network access control policies for servers according to role and requirement (e.g.,\r\nminimize opportunities for access from eDNS servers to other management devices and network\r\ninfrastructure unless necessary for administration purposes); in these cases, access should be constrained\r\nby secure authentication mechanisms.\r\nLog SSH connections between internal servers and monitor them for anomalous activity.\r\nVerify iptables rules implemented on servers, checking for the presence of abnormal entries that enable\r\ninbound access from unknown external IP addresses.\r\nEmploy file integrity checking mechanisms on critical system service binaries such as iptables to\r\nidentify if they are unexpectedly modified or replaced.\r\nCrowdStrike Intelligence Confidence Assessment\r\nHigh Confidence: Judgments are based on high-quality information from multiple sources.  High confidence in\r\nthe quality and quantity of source information supporting a judgment does not imply that that assessment is an\r\nabsolute certainty or fact. The judgment still has a marginal probability of being inaccurate.\r\nModerate Confidence: Judgments are based on information that is credibly sourced and plausible, but not of\r\nsufficient quantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is\r\nused to express that judgments carry an increased probability of being incorrect until more information is\r\navailable or corroborated.\r\nLow Confidence: Judgments are made where the credibility of the source is uncertain, the information is too\r\nfragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of the source is\r\nuntested. Further information is needed for corroboration of the information or to fill known intelligence gaps.\r\nAdditional Resources\r\nRead about the adversaries tracked by CrowdStrike Counter Adversary Operations in the CrowdStrike\r\n2024 Threat Hunting Report.\r\nTune into the Adversary Universe podcast, where CrowdStrike experts discuss today's threat actors — who\r\nthey are, what they’re after and how you can defend against them. \r\nKnow the adversaries that may be targeting your region or business sector — explore the CrowdStrike\r\nAdversary Universe.\r\nLearn how CrowdStrike's threat intelligence and threat hunting solutions are transforming security\r\noperations to better protect your business. \r\nSource: https://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/\r\nhttps://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/"
	],
	"report_names": [
		"liminal-panda-telecom-sector-threats"
	],
	"threat_actors": [
		{
			"id": "ece64b74-f887-4d58-9004-2d1406d37337",
			"created_at": "2022-10-25T16:07:23.794442Z",
			"updated_at": "2026-04-10T02:00:04.751764Z",
			"deleted_at": null,
			"main_name": "LightBasin",
			"aliases": [
				"DecisiveArchitect",
				"Luminal Panda",
				"TH-239",
				"UNC1945"
			],
			"source_name": "ETDA:LightBasin",
			"tools": [
				"CordScan",
				"EVILSUN",
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LEMONSTICK",
				"LOGBLEACH",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"OKSOLO",
				"OPENSHACKLE",
				"ProxyChains",
				"Pupy",
				"PupyRAT",
				"SIGTRANslator",
				"SLAPSTICK",
				"SMBExec",
				"STEELCORGI",
				"Tiny SHell",
				"pupy",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c0b06c51-f463-47dc-9b15-1ffa317dbf2c",
			"created_at": "2025-03-04T02:00:02.983311Z",
			"updated_at": "2026-04-10T02:00:03.793603Z",
			"deleted_at": null,
			"main_name": "LIMINAL PANDA",
			"aliases": [],
			"source_name": "MISPGALAXY:LIMINAL PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "31c0d0e1-f793-4374-90aa-138ea1daea50",
			"created_at": "2023-11-30T02:00:07.29462Z",
			"updated_at": "2026-04-10T02:00:03.482987Z",
			"deleted_at": null,
			"main_name": "LightBasin",
			"aliases": [
				"UNC1945",
				"CL-CRI-0025"
			],
			"source_name": "MISPGALAXY:LightBasin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434420,
	"ts_updated_at": 1775792117,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/350bf38137d4b0b690be4c289fe98acde70a284d.pdf",
		"text": "https://archive.orkl.eu/350bf38137d4b0b690be4c289fe98acde70a284d.txt",
		"img": "https://archive.orkl.eu/350bf38137d4b0b690be4c289fe98acde70a284d.jpg"
	}
}