{ "id": "c06afd1f-0716-4be2-a673-9871972f198d", "created_at": "2026-04-06T00:17:28.334479Z", "updated_at": "2026-04-10T03:33:51.360094Z", "deleted_at": null, "sha1_hash": "8013be663d79fb5f14661031d7f10ee878a500cd", "title": "APT 19, Deep Panda, C0d0so0", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82242, "plain_text": "APT 19, Deep Panda, C0d0so0\r\nArchived: 2026-04-05 12:45:01 UTC\r\nHome \u003e List all groups \u003e APT 19, Deep Panda, C0d0so0\r\n APT group: APT 19, Deep Panda, C0d0so0\r\nNames\r\nAPT 19 (Mandiant)\r\nDeep Panda (CrowdStrike)\r\nCodoso (CrowdStrike)\r\nC0d0so0 (CrowdStrike)\r\nSunshop Group (FireEye)\r\nTG-3551 (SecureWorks)\r\nBronze Firestone (SecureWorks)\r\nPupa (Symantec)\r\nRed Pegasus (PWC)\r\nCheckered Typhoon (Microsoft)\r\nG0009 (MITRE)\r\nG0073 (MITRE)\r\nCountry China\r\nSponsor\r\nA group likely composed of freelancers, with some degree of sponsorship by the\r\nChinese government. (FireEye)\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\nAPT 19 is a Chinese-based threat group that has targeted a variety of industries,\r\nincluding defense, finance, energy, pharmaceutical, telecommunications, high tech,\r\neducation, manufacturing, and legal services. In 2017, a phishing campaign was\r\nused to target seven law and investment firms.\r\nSome analysts track APT19, DarkHydrus, LazyMeerkat, Turbine Panda, APT 26,\r\nShell Crew, WebMasters, KungFu Kittens as the same group, but it is unclear from\r\nopen source information if the groups are the same.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=58c7e347-341c-4446-bf03-81fc1f7d9254\r\nPage 1 of 5\n\nObserved\nSectors: Defense, Education, Energy, Financial, Government, High-Tech,\nManufacturing, Pharmaceutical, Telecommunications, Think Tanks and political\ndissidents and Forbes.\nCountries: Australia, USA.\nTools used C0d0so0, Cobalt Strike, Derusbi, EmpireProject, Fire Chili and a 0-day for Flash.\nOperations performed\nMar 2013\nBreach of the US Department of Labor website\nOn April 30, 2013, CrowdStrike was alerted to a strategic web\ncompromise on a US Department of Labor website that was\nredirecting visitors to an attacker’s infrastructure. Eight other\ncompromised sites were also reported to be similarly compromised\nwith the data suggesting that this campaign began in mid-March.\nEarly 2014\nBreaches of National Security Think Tanks\nThis actor, who was engaged in targeting and collection of Southeast\nAsia policy information, suddenly began targeting individuals with a\ntie to Iraq/Middle East issues. This is undoubtedly related to the\nrecent Islamic State of Iraq and the Levant (ISIS) takeover of major\nparts of Iraq and the potential disruption for major Chinese oil\ninterests in that country. In fact, Iraq happens to be the fifth-largest\nsource of crude oil imports for China and the country is the largest\nforeign investor in Iraq’s oil sector.\nMar 2014\nBreach of the US Office of Personnel Management\nOPM investigates a breach of its computer networks dating back to\nMarch 2014. Authorities trace the intrusion to China. OPM offers\nemployees free credit monitoring and assures employees that no\npersonal data appears to have been stolen.\nMar 2014 Breach of USIS\nIt emerges that USIS, a background check provider for the U.S.\nDepartment of Homeland Security, was hacked. USIS offers 27,000\nDHS employees credit monitoring through AllClearID (full\ndisclosure: AllClear is an advertiser on this blog). Investigators say\nChinese are hackers responsible, and that the attackers broke in by\nexploiting a vulnerability in an enterprise management software\nproduct from SAP.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=58c7e347-341c-4446-bf03-81fc1f7d9254\nPage 2 of 5\n\nApr 2014\nBreach of health insurance company Anthem\nJul 2014\nSakula Malware to Target Organizations in Multiple Sectors\nOver the last few months, the CrowdStrike Intelligence team has been\ntracking a campaign of highly targeted events focused on entities in\nthe U.S. Defense Industrial Base (DIB), healthcare, government, and\ntechnology sectors. This campaign infected victims with Sakula\nmalware variants that were signed with stolen certificates.\nNov 2014\nBreaches of Australian media organizations ahead of G20\n“We started to see activity over the last couple of weeks targeting\nAustralian media organizations and we believe that’s related to the\nG20,” Dmitri Alperovitch, co-founder of US computer security\ncompany CrowdStrike, told the ABC’s 7.30 program.\nDec 2014\nBreach of KeyPoint Government Solutions\nKeyPoint Government Solutions, which took over the bulk of federal\nbackground checks after one of its competitors was hacked, also\nrecently suffered a computer network breach, officials said Thursday.\nFeb 2015\nAttack using Forbes.com as Watering Hole\nMethod: Compromise of Forbes.com, in which the site was used to\ncompromise selected targets via a watering hole to a zero-day Adobe\nFlash exploit.\nApr 2015 Operation “Kingslayer”\nRSA Research investigated the source of suspicious, observed\nbeaconing thought to be associated with targeted malware. In the\ncourse of this tac-tical hunt for unidentified code, RSA discovered a\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=58c7e347-341c-4446-bf03-81fc1f7d9254\nPage 3 of 5\n\nsophisticated attack on a software supply-chain involving a Trojan\ninserted in otherwise legitimate software; software that is typically\nused by enterprise system administrators.\nMay 2015\nBreach of health insurance company Premera Blue Cross\nPremera Blue Cross, one of the insurance carriers that participates in\nthe Federal Employees Health Benefits Program, discloses a breach\naffecting 11 million customers. Federal auditors at OPM warned\nPremera three weeks prior to the breach that its network security\nprocedures were inadequate.\nMay 2015\nBreach of health insurance company Carefirst Blue Cross\nCareFirst BlueCross BlueShield on Wednesday said it had been hit\nwith a data breach that compromised the personal information on\napproximately 1.1 million customers. There are indications that the\nsame attack methods may have been used in this intrusion as with\nbreaches at Anthem and Premera, incidents that collectively involved\ndata on more than 90 million Americans.\nJan 2016\nSeveral Watering Hole Attacks\nMay 2017\nPhishing campaign targeting at least seven global law and investment\nfirms.\nMethod: In early May, the phishing lures leveraged RTF attachments\nthat exploited the Microsoft Windows vulnerability described in CVE\n2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent\nversions, APT19 added an application whitelisting bypass to the\nXLSM documents. At least one observed phishing lure delivered a\nCobalt Strike payload.\nJun 2017\nAttacks on Australian law firms and research body\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=58c7e347-341c-4446-bf03-81fc1f7d9254\nPage 4 of 5\n\nMar 2022\nChinese hacking group uses new 'Fire Chili' Windows rootkit\nCounter operations\nAug 2017\nUS Arrests Chinese Man Involved With Sakula Malware Used in\nOPM and Anthem Hacks\nOct 2018\nU.S. Indicts Chinese Hacker-Spies in Conspiracy to Steal Aerospace\nSecrets\nMay 2019\nChinese national indicted for 2015 Anthem breach\nMITRE ATT\u0026CK\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=58c7e347-341c-4446-bf03-81fc1f7d9254\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=58c7e347-341c-4446-bf03-81fc1f7d9254\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=58c7e347-341c-4446-bf03-81fc1f7d9254" ], "report_names": [ "showcard.cgi?u=58c7e347-341c-4446-bf03-81fc1f7d9254" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "a080173e-7141-4d46-831d-a5f15ebef31a", "created_at": "2023-01-06T13:46:38.629955Z", "updated_at": "2026-04-10T02:00:03.044597Z", "deleted_at": null, "main_name": "APT26", "aliases": [ "JerseyMikes", "TURBINE PANDA", "BRONZE EXPRESS", "TECHNETIUM", "Taffeta Typhoon" ], "source_name": "MISPGALAXY:APT26", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "6efb28db-4d91-46cb-8ab7-fe9e8449ccfc", "created_at": "2023-01-06T13:46:38.772861Z", "updated_at": "2026-04-10T02:00:03.095095Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "LazyMeerkat", "G0079", "Obscure Serpens" ], "source_name": "MISPGALAXY:DarkHydrus", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "699b7efc-322d-489d-818d-823fac028124", "created_at": "2023-01-06T13:46:39.404825Z", "updated_at": "2026-04-10T02:00:03.315524Z", "deleted_at": null, "main_name": "APT9", "aliases": [ "NIGHTSHADE PANDA", "Red Pegasus", "Group 27" ], "source_name": "MISPGALAXY:APT9", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b04780e-7b64-4e62-b776-c6749ff7dec8", "created_at": "2022-10-25T16:07:23.531741Z", "updated_at": "2026-04-10T02:00:04.643562Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "ATK 77", "DarkHydrus", "G0079", "LazyMeerkat", "Obscure Serpens" ], "source_name": "ETDA:DarkHydrus", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Mimikatz", "Phishery", "RogueRobin", "RogueRobinNET", "Trojan.Phisherly", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "4fe925e8-95e5-4a63-9f96-4d0f9bedac08", "created_at": "2022-10-25T15:50:23.469077Z", "updated_at": "2026-04-10T02:00:05.384299Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "DarkHydrus" ], "source_name": "MITRE:DarkHydrus", "tools": [ "Mimikatz", "RogueRobin", "Cobalt Strike" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434648, "ts_updated_at": 1775792031, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8013be663d79fb5f14661031d7f10ee878a500cd.pdf", "text": "https://archive.orkl.eu/8013be663d79fb5f14661031d7f10ee878a500cd.txt", "img": "https://archive.orkl.eu/8013be663d79fb5f14661031d7f10ee878a500cd.jpg" } }