{ "id": "2310cc6b-1300-431d-b686-307eeab0fc6e", "created_at": "2026-04-06T00:13:42.309206Z", "updated_at": "2026-04-10T03:33:22.247127Z", "deleted_at": null, "sha1_hash": "663588a0e7a2953fe56aa80dd56923a12cb61aef", "title": "DEEP PANDA Uses Sakula Malware to Target Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 245133, "plain_text": "DEEP PANDA Uses Sakula Malware to Target Organizations\r\nBy mattdahl\r\nArchived: 2026-04-05 17:14:12 UTC\r\nOver the last few months, the CrowdStrike Intelligence team has been tracking a campaign of highly targeted\r\nevents focused on entities in the U.S. Defense Industrial Base (DIB), healthcare, government, and technology\r\nsectors. This campaign infected victims with Sakula malware variants that were signed with stolen certificates.\r\nInvestigation into this activity led to associations with the adversary known to CrowdStrike as DEEP PANDA. On\r\n31 July 2014, an executable was identified, which, at the time, was not detected by any anti-virus products. When\r\nthis file was executed, it caused the victim to view a website by using the ShellExecute() API to open a URL. The\r\nsite’s domain name was meant to spoof that of a site set up to provide information on an alumni event for a U.S\r\nuniversity. This page requested that the visitor download an Adobe-related plugin in order to view the content. The\r\ndownloaded plugin file included a variant of Sakula malware. \u003c1\u003e The Sakula malware in this campaign utilized\r\nthe Dynamic Link Library (DLL) side-loading technique most commonly associated with PlugX activity. In the\r\naforementioned university-related incidents, a legitimate executable named MediaSoft.exe (MD5 hash:\r\nd00b3169f45e74bb22a1cd684341b14a) loaded a file named msi.dll (MD5 hash:\r\nae6f33f6cdc25dc4bda24b2bccff79fe), which, in turn, was used to load the Sakula executable (MD5 hash:\r\n0c2674c3a97c53082187d930efb645c2). This final executable was also signed with a certificate assigned to an\r\norganization called DTOPTOOLZ Co., Ltd. Command-and-Control (C2) communications in this incident went\r\ndirectly to IP address 180.210.206.246; a sample GET request is below:\r\nFurther investigation revealed similar activity stretching back to at least April 2014, when similar TTPs were used\r\nto target a healthcare organization and a U.S.-based IT company with high-profile clients in the defense sector.\r\nTwo other incidents were also identified in August 2014 targeting a company in the DIB and a Mongolian\r\ngovernment entity. All incidents in this campaign were similar in that they utilized malicious droppers\r\nmasquerading as installers for legitimate software applications like Adobe Reader, Juniper VPN, and Microsoft\r\nActiveX Control. They display progress bars that make it appear as if the specified software is being updated or\r\ninstalled.\r\nhttps://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/\r\nPage 1 of 4\n\nExample of Installer Progress Bar Displayed by Dropper\r\nIn addition, the droppers all directed victims to login pages for services specific to the target organization like\r\nwebmail, document sharing, or corporate VPN. In all cases except one, the victims were directed to legitimate\r\nlogin pages. The one exception was a case in which victims were sent to a login page hosted on a domain that\r\nspoofed that of the legitimate one. It is unclear whether redirecting victims to these login pages was part of\r\ncredential-collection activity or merely meant to deceive victims into believing that the activity was legitimate.\r\nhttps://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/\r\nPage 2 of 4\n\nExample of a Login\r\nPage that Victims were Redirected to\r\nThe campaign appeared to be over by the end of August, but a file was recently discovered that suggests it may be\r\nongoing. The intended target again appeared to be a Mongolian government entity, and the file masqueraded as an\r\ninstaller for Microsoft ActiveX software. It dropped the side-loaded Sakula malware just like in the other\r\nincidents; however, in this instance, the Sakula payload was signed with a certificate assigned to a different\r\norganization, Career Credit Co., Ltd. The malware used the domain www\u003c.\u003exha-mster\u003c.\u003ecom for C2 which was\r\ncreated in mid-September and is registered with the email address wendellom@yahoo.com and registrant name\r\n“tonyy starke” (hence the name, Ironman-related title for this blog). Below is a chart showing the relevant\r\nrelationships to this DEEP PANDA campaign.\r\nhttps://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/\r\nPage 3 of 4\n\nThe bottom of the chart shows an infrastructure connection between an IP address (198.200.45.112) used this\r\ncampaign and also used in recently observed DEEP PANDA activity. Association with Recent Scanbox Activity\r\nIn September 2014, CrowdStrike Intelligence identified a malicious file signed with the DTOPTOOLZ Co., Ltd.\r\ncertificate. Analysis of this file revealed it to be Derusbi malware (a favorite RAT of DEEP PANDA) that used the\r\ndomain vpn\u003c.\u003efoundationssl\u003c.\u003ecom for its C2. At the time of discovery, CrowdStrike did not attribute the file to\r\nDEEP PANDA based on the malware alone, but the use of the DTOPTOOLZ certificate to sign a malware variant\r\nknown to be heavily used by this adversary makes it likely that this signed Derusbi sample is also attributable to\r\nDEEP PANDA. In a recent public report from PWC, another foundationssl\u003c.\u003ecom domain was linked to activity\r\ninvolving the Strategic Web Compromise (SWC) framework more commonly known as Scanbox.\r\nIn that operation, the Scanbox code was placed on the website of a U.S.-based think tank and utilized the\r\nmalicious domain, news\u003c.\u003efoundationssl\u003c.\u003ecom. The use of the two foundationssl\u003c.\u003ecom subdomains suggests\r\nthat the same adversary (in this case DEEP PANDA) was responsible for the signed Derusbi malware file and the\r\nthink tank SWC activity. Furthermore, CrowdStrike publicly reported on DEEP PANDA targeting of think tanks in\r\nJuly 2014. If you want to hear more about DEEP PANDA and their tradecraft or any of the other adversaries that\r\nCrowdStrike tracks, please contact: sales@crowdstrike.com\r\n\u003c1\u003e In February 2014, CrowdStrike publicly reported on a campaign that leveraged Sakula malware; however, the\r\nTactics, Techniques, and Procedures (TTPs) between that campaign and this recent one are different, suggesting\r\ntwo distinct adversaries are using the Sakula malware.\r\nSource: https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/\r\nhttps://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/" ], "report_names": [ "ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors" ], "threat_actors": [ { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434422, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/663588a0e7a2953fe56aa80dd56923a12cb61aef.pdf", "text": "https://archive.orkl.eu/663588a0e7a2953fe56aa80dd56923a12cb61aef.txt", "img": "https://archive.orkl.eu/663588a0e7a2953fe56aa80dd56923a12cb61aef.jpg" } }