{ "id": "5720633c-5e4d-49ae-922a-50934835be3b", "created_at": "2026-04-06T00:16:06.533131Z", "updated_at": "2026-04-10T13:12:04.713059Z", "deleted_at": null, "sha1_hash": "4a50222f670f781ca703820d626b3a3bc659eb97", "title": "Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34307, "plain_text": "Newly discovered Chinese hacking group hacked 100+ websites to\r\nuse as “watering holes”\r\nBy Sean Gallagher\r\nPublished: 2015-08-05 · Archived: 2026-04-05 16:42:06 UTC\r\nLAS VEGAS—Today at the Black Hat information security conference, Dell SecureWorks researchers unveiled a\r\nreport on a newly detected hacking group that has targeted companies around the world while stealing massive\r\namounts of industrial data. The majority of the targets of the hacking group were in the automotive, electronic,\r\naerospace, energy, and pharmaceutical industries. The group, believed to be based in China, has also targeted\r\ndefense contractors, colleges and universities, law firms, and political organizations—including organizations\r\nrelated to Chinese minority ethnic groups.\r\nDesignated as Threat Group 3390 and nicknamed “Emissary Panda” by researchers, the hacking group has\r\ncompromised victims’ networks largely through “watering hole” attacks launched from over 100 compromised\r\nlegitimate websites, sites picked because they were known to be frequented by those targeted in the attack.\r\nAt least 50 organizations in those industries in the US and the United Kingdom had data stolen by members of\r\nEmissary Panda. Sites targeted included the website of the Embassy of the Russian Federation in the US (as well\r\nas those of other embassies and non-governmental organizations); government agency websites around the world;\r\nmanufacturing companies, many of whom were suppliers to defense contractors; and the Spanish defense\r\nmanufacturer Amper. A cultural site for the Chinese Uyghur ethnic group was also used, apparently to target\r\nmembers of the Muslim minority for surveillance.\r\nNo zero-day vulnerabilities were used to breach targeted networks, instead “the group relied on old vulnerabilities\r\nsuch as CVE-2011-3544”—a near-year-old Java security hole—“and CVE-2010-0738 to compromise their\r\ntargets,” Dell SecureWorks’ researchers reported. The group used a number of tools common to other Chinese\r\nhacking groups, but they had a few unique tools of their own with interfaces developed for Standard (Simplified)\r\nChinese. One of these is the PlugX remote access tool, “a notorious piece of malware linked to a number of\r\nattacks and to another Threat Group, which researchers believe is also likely based out of China,” according to\r\nDell SecureWorks researchers. It also appears the group used China’s Baidu search engine to perform\r\nreconnaissance on targets.\r\nSource: https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-wat\r\nering-holes/\r\nhttps://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/" ], "report_names": [ "newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434566, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a50222f670f781ca703820d626b3a3bc659eb97.pdf", "text": "https://archive.orkl.eu/4a50222f670f781ca703820d626b3a3bc659eb97.txt", "img": "https://archive.orkl.eu/4a50222f670f781ca703820d626b3a3bc659eb97.jpg" } }