{
	"id": "99a97e3b-04d8-4e8b-922b-3c9d47563dfd",
	"created_at": "2026-04-06T00:19:22.33191Z",
	"updated_at": "2026-04-10T03:33:22.389888Z",
	"deleted_at": null,
	"sha1_hash": "6f08b123991422cedb73f298e9ee8f16cfaebe27",
	"title": "Chinese hacking group uses new 'Fire Chili' Windows rootkit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3242083,
	"plain_text": "Chinese hacking group uses new 'Fire Chili' Windows rootkit\r\nBy Bill Toulas\r\nPublished: 2022-03-31 · Archived: 2026-04-05 19:43:43 UTC\r\nThe Chinese hacking group Deep Panda is targeting VMware Horizon servers with the Log4Shell exploit to deploy a novel\r\nrootkit named 'Fire Chili.'\r\nThe rootkit is digitally signed using a certificate from Frostburn Studios (game developer) or one from Comodo (security\r\nsoftware) to evade detection by AV tools.\r\nAnalysts at Fortinet who tracked Deep Panda's recent activity believe the certificates have been stolen from the mentioned\r\nsoftware developers.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hacking-group-uses-new-fire-chili-windows-rootkit/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hacking-group-uses-new-fire-chili-windows-rootkit/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nDeep Panda is a notorious Chinese APT focusing on cyber-espionage operations that has been active for many years now.\r\nThe FBI had arrested one of its members back in 2017 after linking him with the exploitation of three zero-day\r\nvulnerabilities.\r\nFire Chili rootkit\r\nIn a recent Deep Panda campaign discovered by Fortinet, the hacking group is deploying the new 'Fire Chili' rootkit to evade\r\ndetection on compromised systems.\r\nA rootkit is malware typically installed as a driver that hooks various Windows APIs to hide the presence of other files and\r\nconfiguration settings in the operating system. For example, by hooking Windows programming functions, a rootkit can\r\nfilter data to not display malicious file names, processes, and Registry keys APIs to Windows programs requesting the data.\r\nIn the attacks, the rootkit is signed by valid digital certificates allowing it to bypass detection by security software and load\r\ninto Windows without any warnings.\r\nCertificates stolen from legitimate companies (Fortinet)\r\nUpon launch, Fire Chili performs basic system tests to ensure it's not running on a simulated environment and checks that\r\nthe kernel structures and objects to be abused during operation are present.\r\nFortinet reports that the most recent supported operating system version for Fire Chili is Windows 10 Creators Update,\r\nreleased in April 2017.\r\nThe goal of the rootkit is to keep file operations, processes, registry key additions, and malicious network connections\r\nhidden from the user and any security software that could be running on the compromised machine.\r\nFor this hiding function, the malware uses IOCTLs (input/output control system calls) that are pre-populated with the\r\nmalicious artifacts and can be dynamically configured.\r\nFor example, to hide malicious TCP connections from netstat, the rootkit intercepts routine IOCTL calls to the device stack,\r\nretrieves the complete list of network connections, filters out its own, and finally returns a sanitized structure.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hacking-group-uses-new-fire-chili-windows-rootkit/\r\nPage 3 of 5\n\nIOCTLs to hide malicious artifacts (Fortinet)\r\nWinnti overlaps\r\nWhile looking into the latest Deep Panda campaign, Fortinet found several overlaps with Winnti, another notorious Chinese\r\nhacking group known for using digitally signed certificates.\r\nAlso, Winnti is known for persistently targeting gaming companies, so they could have stolen those certificates during one\r\nof their successful campaigns.\r\n\"The reason these tools are linked to two different groups is unclear at this time. It's possible that the groups'\r\ndevelopers shared resources, such as stolen certificates and C2 infrastructure, with each other. This may explain\r\nwhy the samples were only signed several hours after being compiled.\" - Fortinet\r\nSophisticated hacking collectives that focus on cyberespionage, and not so much for financial profit, are more likely to be\r\nbacked or even coordinated by government handlers, so this overlap is hardly surprising.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hacking-group-uses-new-fire-chili-windows-rootkit/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/chinese-hacking-group-uses-new-fire-chili-windows-rootkit/\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hacking-group-uses-new-fire-chili-windows-rootkit/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/chinese-hacking-group-uses-new-fire-chili-windows-rootkit/"
	],
	"report_names": [
		"chinese-hacking-group-uses-new-fire-chili-windows-rootkit"
	],
	"threat_actors": [
		{
			"id": "64ca1755-3883-4173-8e0a-6e5cf92faafd",
			"created_at": "2022-10-25T15:50:23.636456Z",
			"updated_at": "2026-04-10T02:00:05.389234Z",
			"deleted_at": null,
			"main_name": "Deep Panda",
			"aliases": [
				"Deep Panda",
				"Shell Crew",
				"KungFu Kittens",
				"PinkPanther",
				"Black Vine"
			],
			"source_name": "MITRE:Deep Panda",
			"tools": [
				"Mivast",
				"StreamEx",
				"Sakula",
				"Tasklist",
				"Derusbi"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f",
			"created_at": "2022-10-25T16:07:23.335869Z",
			"updated_at": "2026-04-10T02:00:04.547702Z",
			"deleted_at": null,
			"main_name": "APT 19",
			"aliases": [
				"APT 19",
				"Bronze Firestone",
				"C0d0so0",
				"Checkered Typhoon",
				"Codoso",
				"Deep Panda",
				"G0009",
				"G0073",
				"Operation Kingslayer",
				"Red Pegasus",
				"Sunshop Group",
				"TG-3551"
			],
			"source_name": "ETDA:APT 19",
			"tools": [
				"Agentemis",
				"C0d0so0",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"EmPyre",
				"EmpireProject",
				"Fire Chili",
				"PowerShell Empire",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "46a151bd-e4c2-46f9-aee9-ee6942b01098",
			"created_at": "2023-01-06T13:46:38.288168Z",
			"updated_at": "2026-04-10T02:00:02.911919Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"DEEP PANDA",
				"Codoso",
				"KungFu Kittens",
				"Group 13",
				"G0009",
				"G0073",
				"Checkered Typhoon",
				"Black Vine",
				"TEMP.Avengers",
				"PinkPanther",
				"Shell Crew",
				"BRONZE FIRESTONE",
				"Sunshop Group"
			],
			"source_name": "MISPGALAXY:APT19",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d",
			"created_at": "2025-08-07T02:03:24.595597Z",
			"updated_at": "2026-04-10T02:00:03.740023Z",
			"deleted_at": null,
			"main_name": "BRONZE FIRESTONE",
			"aliases": [
				"APT19 ",
				"C0d0s0",
				"Checkered Typhoon ",
				"Chlorine ",
				"Deep Panda ",
				"Pupa ",
				"TG-3551 "
			],
			"source_name": "Secureworks:BRONZE FIRESTONE",
			"tools": [
				"9002",
				"Alice's Rabbit Hole",
				"Cobalt Strike",
				"Derusbi",
				"PlugX",
				"PoisonIvy",
				"PowerShell Empire",
				"Trojan Briba",
				"Zuguo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434762,
	"ts_updated_at": 1775792002,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f08b123991422cedb73f298e9ee8f16cfaebe27.pdf",
		"text": "https://archive.orkl.eu/6f08b123991422cedb73f298e9ee8f16cfaebe27.txt",
		"img": "https://archive.orkl.eu/6f08b123991422cedb73f298e9ee8f16cfaebe27.jpg"
	}
}