{
	"id": "176420cd-c66e-42e4-8529-a2bdcef36a42",
	"created_at": "2026-04-06T00:17:30.479545Z",
	"updated_at": "2026-04-10T03:33:22.325711Z",
	"deleted_at": null,
	"sha1_hash": "67618322305eb451699abcd1f9db34a25ad5076e",
	"title": "US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 616503,
	"plain_text": "US Arrests Chinese Man Involved With Sakula Malware Used in OPM\r\nand Anthem Hacks\r\nBy Catalin Cimpanu\r\nPublished: 2017-08-26 · Archived: 2026-04-02 10:55:20 UTC\r\nThe FBI has arrested a Chinese national on accusations of distributing and infecting US companies with the Sakula\r\nmalware, the same malware used in the OPM and Anthem hacks.\r\nThe suspect's name is Yu Pingan, 26, of Shanghai. US authorities arrested Yu on Monday, August 21, at the Los Angeles\r\nairport, as the suspect entered the US to attend a security conference.\r\nYu alleged criminal past tied to Sakula trojan\r\nAccording to an official indictment, authorities accused Yu and two other unnamed co-conspirators of infecting four US\r\ncompanies with Sakula, a backdoor trojan.\r\nhttps://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe US Department of Justice described Yu as a \"malware broker\" and charged him with the tool's distribution and four\r\nhacking charges. US authorities did not accuse Yu of creating Sakula, nor hacking OPM or Anthem.\r\nBetween 2014 and 2015, hackers stole the personal records of over 21 million government employees from the US Office of\r\nPersonnel Management (OPM), and over 80 million medical records from Anthem Inc., a US company that provides health\r\ninsurance, including for several government agencies.\r\nYu accused of using three zero-days, knowing of a fourth\r\nUS cyber-security firms have accused Chinese state hackers of carrying out the OPM and Anthem breaches. They blamed a\r\ncyber-espionage unit named Deep Panda — also known as APT19.\r\nUS authorities did not elaborate on Yu's connection to Deep Panda. Nonetheless, the indictment mentioned that Yu and his\r\nco-conspirators were in the possession of at least four zero-days — CVE-2014-0322 (affecting IE10), CVE-2012-4969\r\n(affecting IE6), CVE-2012-4792 (affecting IE6), and an unidentified Flash Player zero-day that Yu mentioned in chat\r\ntranscripts.\r\nThe hacks for which Yu stands accused all took place before the OPM and Anthem breaches. Historically, security firms\r\nhave observed the Sakula trojan used in nation-state cyber-espionage campaigns exclusively.\r\nYu will be arraigned in court next week.\r\nOn a side note, the video below gives a basic introduction into nation-state cyber-espionage campaigns. At 27:55, security\r\nexpert The Grugq provides a very simple explanation of why Chinese hackers targeted OPM and Anthem. The rest of the\r\nvideo also explains how the Chinese cyber apparatus works, along with similar infrastructures in Russia and the US.\r\nhttps://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/\r\nhttps://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/"
	],
	"report_names": [
		"us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks"
	],
	"threat_actors": [
		{
			"id": "1f3cf3d1-4764-4158-a216-dd6352e671bb",
			"created_at": "2022-10-25T15:50:23.837615Z",
			"updated_at": "2026-04-10T02:00:05.322197Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"APT19",
				"Codoso",
				"C0d0so0",
				"Codoso Team",
				"Sunshop Group"
			],
			"source_name": "MITRE:APT19",
			"tools": [
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "64ca1755-3883-4173-8e0a-6e5cf92faafd",
			"created_at": "2022-10-25T15:50:23.636456Z",
			"updated_at": "2026-04-10T02:00:05.389234Z",
			"deleted_at": null,
			"main_name": "Deep Panda",
			"aliases": [
				"Deep Panda",
				"Shell Crew",
				"KungFu Kittens",
				"PinkPanther",
				"Black Vine"
			],
			"source_name": "MITRE:Deep Panda",
			"tools": [
				"Mivast",
				"StreamEx",
				"Sakula",
				"Tasklist",
				"Derusbi"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f",
			"created_at": "2022-10-25T16:07:23.335869Z",
			"updated_at": "2026-04-10T02:00:04.547702Z",
			"deleted_at": null,
			"main_name": "APT 19",
			"aliases": [
				"APT 19",
				"Bronze Firestone",
				"C0d0so0",
				"Checkered Typhoon",
				"Codoso",
				"Deep Panda",
				"G0009",
				"G0073",
				"Operation Kingslayer",
				"Red Pegasus",
				"Sunshop Group",
				"TG-3551"
			],
			"source_name": "ETDA:APT 19",
			"tools": [
				"Agentemis",
				"C0d0so0",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"EmPyre",
				"EmpireProject",
				"Fire Chili",
				"PowerShell Empire",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "46a151bd-e4c2-46f9-aee9-ee6942b01098",
			"created_at": "2023-01-06T13:46:38.288168Z",
			"updated_at": "2026-04-10T02:00:02.911919Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"DEEP PANDA",
				"Codoso",
				"KungFu Kittens",
				"Group 13",
				"G0009",
				"G0073",
				"Checkered Typhoon",
				"Black Vine",
				"TEMP.Avengers",
				"PinkPanther",
				"Shell Crew",
				"BRONZE FIRESTONE",
				"Sunshop Group"
			],
			"source_name": "MISPGALAXY:APT19",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d",
			"created_at": "2025-08-07T02:03:24.595597Z",
			"updated_at": "2026-04-10T02:00:03.740023Z",
			"deleted_at": null,
			"main_name": "BRONZE FIRESTONE",
			"aliases": [
				"APT19 ",
				"C0d0s0",
				"Checkered Typhoon ",
				"Chlorine ",
				"Deep Panda ",
				"Pupa ",
				"TG-3551 "
			],
			"source_name": "Secureworks:BRONZE FIRESTONE",
			"tools": [
				"9002",
				"Alice's Rabbit Hole",
				"Cobalt Strike",
				"Derusbi",
				"PlugX",
				"PoisonIvy",
				"PowerShell Empire",
				"Trojan Briba",
				"Zuguo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775792002,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67618322305eb451699abcd1f9db34a25ad5076e.pdf",
		"text": "https://archive.orkl.eu/67618322305eb451699abcd1f9db34a25ad5076e.txt",
		"img": "https://archive.orkl.eu/67618322305eb451699abcd1f9db34a25ad5076e.jpg"
	}
}