{ "id": "b409fc54-b7ec-49c6-b16d-661f8c4cb503", "created_at": "2026-04-06T00:16:16.234098Z", "updated_at": "2026-04-10T03:37:21.604557Z", "deleted_at": null, "sha1_hash": "3da581445ed0023a04f62320e1de0f44e772528d", "title": "09/19/2019 - Emissary Panda APT: Recent infrastructure and RAT analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 481167, "plain_text": "09/19/2019 - Emissary Panda APT: Recent infrastructure and RAT\r\nanalysis\r\nBy MELTX0R\r\nPublished: 2019-09-19 · Archived: 2026-04-05 22:30:08 UTC\r\nSummary\r\nEmissary Panda, a group that goes by many names (APT27, IronTiger, BronzeUnion, TG-3390, and\r\nLuckyMouse), is a Chinese APT that is suspected of being active for nearly a decade. This group has been known\r\nto target aerospace, government, defense, technology, energy, and manufacturing sectors. Not much activity has\r\nbeen publicly recorded on this group as of late, but research indicates they are not dormant.\r\nWhile performing research, I identified a suspect binary titled “odbcad32.exe”. What immediately piqued my\r\ninterest was that this binary, while having the appearance of the legitimate “Open Database Connectivity Data\r\nSource Administrator utility” by Microsoft, was not signed with a Microsoft certificate. Instead, this binary was\r\nsigned with a certificate belonging to “Hangzhou Bianfeng Networking Technology Co., Ltd.”. Open source\r\nresearch on this company name indicates that it is a Chinese software company, and a subsidiary of the media\r\norganization “Zhejiang Daily Digital”, which is headquartered in Hangzhou, China.\r\nhttps://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html\r\nPage 1 of 5\n\nShown above: Certificate used to sign malicious binary used by Emissary Panda APT\r\nAt this point, I decided to dig deeper into this binary and see why it was attempting to disguise itself as a\r\nlegitimate Microsoft utility. Upon execution, the binary would elevate privileges and drop two files - odbccx32.dll\r\nin the C:\\Windows\\system32\\ folder, and a randomly named batch file in the user’s local temp folder.\r\n@echo off\r\n:err\r\ndel \"c:\\Users\\[Username]\\Desktop\\odbcad32.exe\" \u003enul\r\nif exist \"c:\\Users\\[Username]\\Desktop\\odbcad32.exe\" goto err\r\n\u003enul\r\n@echo on\r\ndel \"c:\\Users\\[Username]\\AppData\\Local\\Temp\\[random].bat\"\r\nShown above: Content within the batch file\r\nNet.exe was then launched with the parameters “stop “Remote Registry Configuration””. Next, rundll32.exe loads\r\nthe aforementioned “odbccx32.dll”, and then another net.exe is launched with the parameters “start “Remote\r\nRegistry Configuration””. Once the malicious DLL is loaded via rundll32.exe, it then establishes persistence via a\r\nnew service. Cmd.exe then executes the dropped batch file, which deletes the originally executed file, as well as\r\nthe batch file itself.\r\nFollowing this, Svchost.exe is executed and loads the malicious odbccx32.dll. It then drops the file “autochk.sys”\r\nin the C:\\Windows\\system32\\drivers\\ folder, and reads the hosts file located in the\r\nC:\\Windows\\system32\\drivers\\etc\\hosts folder (this file contains the mappings of IP addresses to host names).\r\nhttps://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html\r\nPage 2 of 5\n\nCommand \u0026 Control is then initiated to “yofeopxuuehixwmj.redhatupdater.com” over ports 53, 80, and 443. While\r\nthis domain currently resolves to 80.85.153.176, no response was received from probing attempts, and no\r\nsecondary payload was observed.\r\nShown above: Process graph\r\nThe TTP’s (Tactics, Techniques, and Procedures) observed in this sample are consistent with those seen in past\r\nattacks conducted by the Emissary Panda APT group, specifically in relation to the ZxShell Remote Access Trojan\r\n(RAT) which they have been observed using.\r\nI then pivoted into VirusTotal’s relational graphing utility to see if I could gather additional information on this\r\ncampaign’s infrastructure. This revealed four structurally similar binaries that I suspect of also being ZxShell RAT\r\ninstallers - one of which beaconed to the same Command \u0026 Control server as the original sample\r\n(yofeopxuuehixwmj.redhatupdater.com). The second and third binaries beaconed to language.wikaba.com and\r\nsolution.instanthq.com - both of which have been documented as being Command \u0026 Control servers for past\r\nEmissary Panda APT campaigns. I was unable to confirm the fourth binary being a ZxShell RAT installer, which\r\nbeacons to awvsf7esh.dellrescue.com, however VirusTotal deems that it is structurally similar to previously\r\nconfirmed installers. Please note that the domain “dellrescue.com” has been documented by Cylance as having\r\nbeen used in a campaign conducted by PassCV APT group in 2016, although the subdomain utilized was different\r\n(sc.dellrescue.com).\r\nhttps://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html\r\nPage 3 of 5\n\nShown above: VirusTotal Graph\r\nAt this time, I was unable to obtain evidence of target attribution - however in the past Emissary Panda APT has\r\nbeen observed targeting Asia, Middle East, US, and UK based organizations and infrastructure. What struck me as\r\nmost interesting from my analysis of this sample was how the Emissary Panda APT group was able to obtain a\r\nvalid certificate to sign their Remote Access Trojan binary, which sparks the question - was this group able to\r\ncompromise the Chinese based software company and steal their certificate(s), or are there possible insider threats\r\nlurking within? Regardless, it is an interesting sample and displays that Emissary Panda is still active.\r\nIndicators\r\nIndicator Type Description\r\n70cff7c176c7df265a808aa52daf6f34 MD5 odbcad32.exe - ZxShell RAT Installer\r\n37fc73c754ef2706659a18837a90ddaa MD5 odbcad32.exe - ZxShell RAT Installer\r\nA9C2FF438C73E865624EEB0763235A14 MD5 odbccx32.dll - ZxShell RAT service DLL\r\nyofeopxuuehixwmj.redhatupdater.com Domain ZxShell RAT Command \u0026 Control server\r\nhttps://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html\r\nPage 4 of 5\n\n1b2d75f9c7717f377100924cdbdb10b1 MD5\r\nodbcad32.exe - Unconfirmed ZxShell RAT\r\nInstaller\r\nawvsf7esh.dellrescue.com Domain\r\nUnconfirmed ZxShell RAT Command \u0026 Control\r\nserver\r\n850df4a726a71f50d3cc7192c8cf7e6a MD5\r\nodbcad32.exe - older ZxShell RAT Installer from\r\n2018\r\nb7f958f93e2f297e717cffc2fe43f2e9 MD5\r\nodbcad32.exe - ZxShell RAT Installer previously\r\ndocumented by Dell SecureWorks CTU\r\nlanguage.wikaba.com Domain\r\nZxShell RAT Command \u0026 Control server\r\npreviously documented by Dell SecureWorks CTU\r\nsolution.instanthq.com Domain\r\nZxShell RAT Command \u0026 Control server\r\npreviously documented by Dell SecureWorks CTU\r\nReferences/Further Reading\r\n1. https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox\r\n2. https://securelist.com/luckymouse-hits-national-data-center/86083/\r\n3. https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\n4. https://thehackernews.com/2018/06/chinese-watering-hole-attack.html\r\n5. https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/\r\n6. https://attack.mitre.org/groups/G0027/\r\n7. https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html\r\n8. https://app.any.run/tasks/91aee60c-6982-461a-a006-e601c8879fb0/\r\nSource: https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html\r\nhttps://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html" ], "report_names": [ "emissary-panda-apt.html" ], "threat_actors": [ { "id": "27b56f48-7905-4da8-8d87-cea10adb1c6b", "created_at": "2022-10-25T16:07:24.044105Z", "updated_at": "2026-04-10T02:00:04.848898Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "ETDA:PassCV", "tools": [ "Agentemis", "AngryRebel", "BleDoor", "Cobalt Strike", "CobaltStrike", "Excalibur", "Farfli", "Gh0st RAT", "Ghost RAT", "Kitkiot", "Moudour", "Mydoor", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "PCRat", "RbDoor", "Recam", "RibDoor", "Sabresac", "Sensocode", "Winnti", "ZXShell", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dda68b4f-a74a-42a0-b883-69c1dc1229a8", "created_at": "2023-01-06T13:46:38.528227Z", "updated_at": "2026-04-10T02:00:03.013713Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "MISPGALAXY:PassCV", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434576, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3da581445ed0023a04f62320e1de0f44e772528d.pdf", "text": "https://archive.orkl.eu/3da581445ed0023a04f62320e1de0f44e772528d.txt", "img": "https://archive.orkl.eu/3da581445ed0023a04f62320e1de0f44e772528d.jpg" } }