{ "id": "cbbb3c4c-aa12-4e66-b41b-f607fa030a71", "created_at": "2026-04-06T00:06:17.944571Z", "updated_at": "2026-04-10T03:37:21.632117Z", "deleted_at": null, "sha1_hash": "70cef634f8bec3e588a8566daf7b5064091d0a6e", "title": "Emissary Panda, APT 27, LuckyMouse, Bronze Union", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84564, "plain_text": "Emissary Panda, APT 27, LuckyMouse, Bronze Union\nArchived: 2026-04-05 23:17:53 UTC\nHome \u003e List all groups \u003e Emissary Panda, APT 27, LuckyMouse, Bronze Union\n APT group: Emissary Panda, APT 27, LuckyMouse, Bronze Union\nNames\nEmissary Panda (CrowdStrike)\nAPT 27 (Mandiant)\nLuckyMouse (Kaspersky)\nBronze Union (Secureworks)\nTG-3390 (SecureWorks)\nTEMP.Hippo (Symantec)\nBudworm (Symantec)\nGroup 35 (Talos)\nATK 15 (Thales)\nIron Tiger (Trend Micro)\nEarth Smilodon (Trend Micro)\nRed Phoenix (PWC)\nZipToken (?)\nIron Taurus (Palo Alto)\nCircle Typhoon (Microsoft)\nLinen Typhoon (Microsoft)\nG0027 (MITRE)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2010\nDescription\nThreat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group\nleast 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sector\nEmissary Panda has some overlap with Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu Kittens and possibly UNC2\nThis actor worked together with TA428 in Operation StealthyTrident.\nObserved\nSectors: Aerospace, Aviation, Defense, Education, Embassies, Government, Manufacturing, Technology, Telecommunications,\nCountries: Australia, Canada, China, Germany, Hong Kong, India, Iran, Israel, Japan, Mongolia, Philippines, Russia, Spain, So\nThailand, Tibet, Turkey, UK, USA and Middle East.\nTools used\nAntak, ASPXSpy, China Chopper, Gh0st RAT, gsecdump, HTTPBrowser, HTran, Hunter, HyperBro, Mimikatz, Nishang, Owa\nPsExec, SysUpdate, TwoFace, Windows Credentials Editor, ZXShell, Living off the Land.\nOperations performed\n2010\nOperation “Iron Tiger”\nOperation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of data from defense co\nincluding stolen emails, intellectual property, strategic planning documents – data and records that could be u\norganization.\n2015\nPenetration of networks for industrial espionage\nDesignated as Threat Group 3390 and nicknamed “Emissary Panda” by researchers, the hacking group has c\nnetworks largely through “watering hole” attacks launched from over 100 compromised legitimate websites,\nwere known to be frequented by those targeted in the attack.\nJul 2017 Operation “PZChao”\nThe past few years have seen high-profile cyber-attacks shift to damaging the targets’ digital infrastructures t\ndata, silently monitoring the victim and constantly laying the ground for a new wave of attacks.\nThis is also the case of a custom-built piece of malware that we have been monitoring for several months as\nOur threat intelligence systems picked up the first indicators of compromise in July last year, and we have ke\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e67091ab-cbea-4d73-984d-e4b29f6c48a9\nPage 1 of 3\n\nsince.\nMar 2018\nCampaign targeting a national data center in the Central Asia\nThe choice of target made this campaign especially significant – it meant the attackers gained access to a wid\nresources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in\nwebsites in order to conduct watering hole attacks.\nApr 2018\nOperation “SpoiledLegacy”\nWe have been monitoring a campaign targeting Vietnamese government and diplomatic entities abroad since\nApr 2019\nIn April 2019, Unit 42 observed the Emissary Panda (AKA APT27, TG-3390, Bronze Union, Lucky Mouse)\nwebshells on Sharepoint servers to compromise Government Organizations of two different countries in the\nSummer 2019\nOperation “DRBControl”\n2020\nAPT27 Turns to Ransomware\n2020\nIron Tiger APT Updates Toolkit With Evolved SysUpdate Malware\nApr 2020\nInvestigation with a twist: an accidental APT attack and averted data destruction\nMar 2021\nExchange servers under siege from at least 10 APT groups\nMar 2021\nGerman government warns of APT27 activity targeting local companies\nApr 2022\nBudworm: Espionage Group Returns to Targeting U.S. Organizations\nMay 2022\nLuckyMouse uses a backdoored Electron app to target MacOS\nJul 2022\nIron Tiger’s SysUpdate Reappears, Adds Linux Targeting\nAug 2022\nIron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e67091ab-cbea-4d73-984d-e4b29f6c48a9\nPage 2 of 3\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e67091ab-cbea-4d73-984d-e4b29f6c48a9\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e67091ab-cbea-4d73-984d-e4b29f6c48a9\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e67091ab-cbea-4d73-984d-e4b29f6c48a9" ], "report_names": [ "showcard.cgi?u=e67091ab-cbea-4d73-984d-e4b29f6c48a9" ], "threat_actors": [ { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "a080173e-7141-4d46-831d-a5f15ebef31a", "created_at": "2023-01-06T13:46:38.629955Z", "updated_at": "2026-04-10T02:00:03.044597Z", "deleted_at": null, "main_name": "APT26", "aliases": [ "JerseyMikes", "TURBINE PANDA", "BRONZE EXPRESS", "TECHNETIUM", "Taffeta Typhoon" ], "source_name": "MISPGALAXY:APT26", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a80df4d-5ab7-4ca3-809d-8ef7b5a54f1f", "created_at": "2023-11-21T02:00:07.386886Z", "updated_at": "2026-04-10T02:00:03.474764Z", "deleted_at": null, "main_name": "TiltedTemple", "aliases": [ "Circle Typhoon", "DEV-0322" ], "source_name": "MISPGALAXY:TiltedTemple", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433977, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/70cef634f8bec3e588a8566daf7b5064091d0a6e.pdf", "text": "https://archive.orkl.eu/70cef634f8bec3e588a8566daf7b5064091d0a6e.txt", "img": "https://archive.orkl.eu/70cef634f8bec3e588a8566daf7b5064091d0a6e.jpg" } }