{ "id": "7fb23af2-4420-4a33-814e-f398d5fd97b3", "created_at": "2026-04-06T00:18:40.644648Z", "updated_at": "2026-04-10T03:35:26.739548Z", "deleted_at": null, "sha1_hash": "63b6a6e828d03d064490e7d52ef53405f30642ef", "title": "Hurricane Panda - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49907, "plain_text": "Hurricane Panda - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 13:24:41 UTC\r\nHome \u003e List all groups \u003e Hurricane Panda\r\n APT group: Hurricane Panda\r\nNames Hurricane Panda (CrowdStrike)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\n(CrowdStrike) We have investigated their intrusions since 2013 and have been\r\nbattling them nonstop over the last year at several large telecommunications and\r\ntechnology companies. The determination of this China-based adversary is truly\r\nimpressive: they are like a dog with a bone.\r\nHurricane Panda’s preferred initial vector of compromise and persistence is a China\r\nChopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an\r\n‘eval()’ command, which is then used to provide full command execution and file\r\nupload/download capabilities to the attackers. This script is typically uploaded to a\r\nweb server via a SQL injection or WebDAV vulnerability, which is often trivial to\r\nuncover in a company with a large external web presence.\r\nOnce inside, the adversary immediately moves on to execution of a credential theft\r\ntool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have\r\ncaught an administrator who might be logged into that web server at the time, they\r\nwill have gained domain administrator credentials and can now roam your network\r\nat will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.\r\nObserved Sectors: Technology, Telecommunications.\r\nTools used China Chopper, Mimikatz.\r\nOperations performed Mar 2014\r\nOperation “Poisoned Hurricane”\r\n\u003chttps://www.fireeye.com/blog/threat-research/2014/08/operation-poisoned-hurricane.html\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=14545b70-34d1-4034-a41e-5533fa30be7f\r\nPage 1 of 2\n\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=14545b70-34d1-4034-a41e-5533fa30be7f\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=14545b70-34d1-4034-a41e-5533fa30be7f\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=14545b70-34d1-4034-a41e-5533fa30be7f" ], "report_names": [ "showcard.cgi?u=14545b70-34d1-4034-a41e-5533fa30be7f" ], "threat_actors": [ { "id": "4636526b-b3f7-4e75-8ad9-fb7ef0261b76", "created_at": "2023-01-06T13:46:38.295889Z", "updated_at": "2026-04-10T02:00:02.91629Z", "deleted_at": null, "main_name": "HURRICANE PANDA", "aliases": [], "source_name": "MISPGALAXY:HURRICANE PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "722b693d-cfdc-489e-a540-78c7d52ac5a8", "created_at": "2022-10-25T16:07:23.713768Z", "updated_at": "2026-04-10T02:00:04.7232Z", "deleted_at": null, "main_name": "Hurricane Panda", "aliases": [ "Operation Poisoned Hurricane" ], "source_name": "ETDA:Hurricane Panda", "tools": [ "CHINACHOPPER", "China Chopper", "Mimikatz", "SinoChopper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434720, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63b6a6e828d03d064490e7d52ef53405f30642ef.pdf", "text": "https://archive.orkl.eu/63b6a6e828d03d064490e7d52ef53405f30642ef.txt", "img": "https://archive.orkl.eu/63b6a6e828d03d064490e7d52ef53405f30642ef.jpg" } }