{ "id": "a7e8fac0-2ee7-4799-892e-146916c714b2", "created_at": "2026-04-06T00:22:33.587943Z", "updated_at": "2026-04-10T03:35:26.731782Z", "deleted_at": null, "sha1_hash": "4df4ed7b61bdb7ed535b5517d196053549355d85", "title": "CrowdStrike Discovers Use of 64-bit Exploit by Hurricane Panda", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 217987, "plain_text": "CrowdStrike Discovers Use of 64-bit Exploit by Hurricane Panda\r\nBy CrowdStrike Content Team\r\nArchived: 2026-04-05 12:59:33 UTC\r\nEvery once in a while an adversary does something unique or interesting that really captures our attention. The\r\nmajority of the remote access tools we come across generally run with limited privileges when instantiated on a\r\ncompromised machine. Privileged access is not required if you are, for example, only going after files that are\r\naccessed by general users. However, adversaries who intend to perform more advanced actions that require\r\nadministrative access, such as loading a kernel driver that acts as a rootkit or conducting password dumping,\r\nneeded to elevate their privileges on the victim machine and move around laterally across the network.\r\nAdversaries often use known privilege escalation vulnerabilities to gain administrator-level access but true zero-day exploits are rare and therefore particularly interesting when observed in the wild. They demonstrate that an\r\nattacker has knowledge about non-public exploitable security bugs, which usually means that the exploit was\r\neither bought from a supplier or developed in-house. Either way, each time we observe zero-day exploits in the\r\nwild, they help us better understand an adversary’s capabilities.\r\nCrowdStrike Falcon® Host Endpoint Threat Detection \u0026 Response (ETDR) technology recently detected\r\nsuspicious activity on a 64-bit Windows Server 2008 R2 machine that was attributed to a compromise by\r\nHURRICANE PANDA.\r\nHURRICANE PANDA is a highly advanced adversary believed to be of Chinese origin and known to be targeting\r\ninfrastructure companies. They have been known to use three other local privilege escalation vulnerabilities in\r\naddition to the zero-day discussed here. Their RAT of choice has been PlugX configured to use the DLL side-loading technique that has been recently popularized among Chinese adversaries. Perhaps their most outstanding\r\ntechnique has been the use of free DNS services provided by Hurricane Electric to return an attacker-controlled IP\r\naddress for lookups for popular third-party domain names.\r\nHURRICANE PANDA is known to use the “ChinaChopper” Webshell, a common initial foothold for many\r\ndifferent actors. Once uploading this webshell, the actor will typically attempt to escalate privileges and then use a\r\nvariety of password dumping utilities to obtain legitimate credentials for use in accessing their intelligence\r\nobjectives. CrowdStrike has been battling HURRICANE PANDA on a daily basis since earlier this spring, when\r\nthe adversary was first detected on a victim network and evicted from that network by CrowdStrike Services\r\nIncident Response team. Since then, they have been trying to regain access on a daily basis. These attempts begin\r\nwith compromising web servers and deploying Chopper webshells and then moving laterally and escalating\r\nprivileges using the newly discovered Local Privilege Escalation tool. When these attempts occur, they are\r\ninstantly detected by Falcon Host and the adversary is stopped in their tracks.\r\nThis oftentimes resulted in attackers humorously mistyping their commands as they feverishly worked to try to\r\nbury themselves into the network knowing that they have preciously little time to work with before being shut\r\ndown. Several times the attacker called the wrong single-letter executable (“hsotname” instead of “hostname” and\r\nhttps://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\r\nPage 1 of 5\n\n“romote” instead of “remote”) in a panic to achieve their objective before they were kicked out. One of many\r\nunique capabilities of Falcon host is its lateral movement and credential theft activity detection, which provided us\r\nand the victims with instantaneous full visibility into all adversary activity and preventing the adversary from\r\ngetting a foothold in the network.\r\nFalcon Host provides full visibility into the attack - Discovery of Local Privilege\r\nEscalation Vulnerability (CVE-2014-4113)\r\nThrough Falcon Host technology, we observed that the attackers were using a specific executable to invoke other\r\nprograms with administrative privileges from the account of an unprivileged user. An example is shown below:\r\nFalcon Host detection screen showing the use of Win64.exe from a webshell to elevate privileges for ‘net\r\nlocalgroup administrators admin /add” command\r\nhttps://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\r\nPage 2 of 5\n\nnet command now running as Local System\r\nSubsequent analysis of the Win64.exe binary revealed that it exploits a previously unknown vulnerability to\r\nelevate its privileges to those of the SYSTEM user and then create a new process with these access rights to run\r\nthe command that was passed as argument. The file itself is just 55 kilobytes in size and contains just a few\r\nfunctions. Here is a high-level description of its functionality:\r\n1. Create a memory section and store a pointer to a function that will be called from the kernel when the\r\nvulnerability is triggered\r\n2. Utilize a memory corruption vulnerability in the window manager, simulating user interaction to invoke a\r\ncallback function\r\n3. Replace the access token pointer in the EPROCESS structure with the one from the SYSTEM process\r\n4. Execute the command from the first argument as a new process with SYSTEM privileges\r\nThe following output demonstrates how this tool can be used to start a command shell with administrative access\r\nrights.\r\nhttps://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\r\nPage 3 of 5\n\nThe exploit code is extremely well and efficiently written, and it is 100 percent reliable. The adversary has gone\r\nthrough considerable effort to minimize the chance of its discovery -- the win64.exe tool was only deployed when\r\nabsolutely necessary during the intrusion operations and it was deleted immediately after use. The build timestamp\r\nof the Win64.exe binary of May 3, 2014 suggests that the vulnerability was actively exploited in the wild for at\r\nleast five months. One of the other interesting elements of the tool is an embedded string “woqunimalegebi”,\r\nwhich is a popular Chinese swearword that is also often misspelled when written in Chinese characters in order to\r\nevade online censors and can be translated as \"Fertile Grass Mud Horse in the Mahler Gobi Desert\"\r\nBolivian Alpaca aka\r\n\"Grass Mud Horse\"\r\nAffected Windows Versions, Identification and Patches\r\nhttps://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\r\nPage 4 of 5\n\nThis security bug affects all x64 Windows variants up to and including Windows 7 and Windows Server 2008 R2.\r\nOn systems with Windows 8 and later variants with Intel Ivy Bridge or later generation processors, SMEP\r\n(Supervisor Mode Execution Prevention) will block attempts to exploit the bug and result in a blue screen. We\r\nreported this vulnerability to Microsoft who assigned the common identifier CVE-2014-4113 to it. Today,\r\nMicrosoft published security bulletin MS14-058 and issued a patch that fixes the vulnerability. The YARA\r\nsignature below fires on samples that attempt to exploit this bug. rule CrowdStrike_CVE_2014_4113 { meta:\r\ncopyright = \"CrowdStrike, Inc\" description = \"CVE-2014-4113 Microsoft Windows x64 Local Privilege\r\nEscalation Exploit\" version = \"1.0\" last_modified = \"2014-10-14\" in_the_wild = true strings: $const1 =\r\n{ fb ff ff ff } $const2 = { 0b 00 00 00 01 00 00 00 } $const3 = { 25 00 00 00 01 00 00 00 } $const4 =\r\n{ 8b 00 00 00 01 00 00 00 } condition: all of them }\r\nDetection for this attack is already available for all CrowdStrike Falcon Host and Falcon Managed Protect\r\ncustomers - no further action is needed. Analysis of the weapons and techniques of an adversary allow us to better\r\nunderstand the Tactics, Techniques, and Procedures used. With this understanding, we can leverage intelligence\r\nand next-generation security tools such as Falcon Host to stay one step ahead of the adversary. If you want to hear\r\nmore about HURRICANE PANDA and their tradecraft or any of the other adversaries that CrowdStrike tracks,\r\nplease contact: sales@crowdstrike.com and inquire about Falcon Host, our next-generation endpoint technology,\r\nFalcon Intelligence, our Cyber Threat Intelligence service, or CrowdStrike Services, our incident-response and\r\nproactive response service offerings.\r\nSource: https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-p\r\nanda/\r\nhttps://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/" ], "report_names": [ "crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda" ], "threat_actors": [ { "id": "4636526b-b3f7-4e75-8ad9-fb7ef0261b76", "created_at": "2023-01-06T13:46:38.295889Z", "updated_at": "2026-04-10T02:00:02.91629Z", "deleted_at": null, "main_name": "HURRICANE PANDA", "aliases": [], "source_name": "MISPGALAXY:HURRICANE PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "722b693d-cfdc-489e-a540-78c7d52ac5a8", "created_at": "2022-10-25T16:07:23.713768Z", "updated_at": "2026-04-10T02:00:04.7232Z", "deleted_at": null, "main_name": "Hurricane Panda", "aliases": [ "Operation Poisoned Hurricane" ], "source_name": "ETDA:Hurricane Panda", "tools": [ "CHINACHOPPER", "China Chopper", "Mimikatz", "SinoChopper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434953, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4df4ed7b61bdb7ed535b5517d196053549355d85.pdf", "text": "https://archive.orkl.eu/4df4ed7b61bdb7ed535b5517d196053549355d85.txt", "img": "https://archive.orkl.eu/4df4ed7b61bdb7ed535b5517d196053549355d85.jpg" } }