{ "id": "79706da6-0a28-4878-a6c7-16194528a321", "created_at": "2026-04-06T00:07:30.335122Z", "updated_at": "2026-04-10T13:12:47.517533Z", "deleted_at": null, "sha1_hash": "ae099d9e7405f60814eb9b880caba39e16f8119d", "title": "Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 77255, "plain_text": "Anomali Suspects that China-Backed APT Pirate Panda May Be\r\nSeeking Access to Vietnam Government Data Center\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-05 22:50:35 UTC\r\nAuthored by: Sara Moore, Joakim Kennedy, Parthiban R, and Rory Gould\r\nThe Anomali Threat Research Team detected a spear phishing email targeting government employees in the\r\nMunicipality of Da Nang, Vietnam. The email contained a malicious Microsoft Excel document which drops a\r\nmalicious Dynamic-Link Library (DLL) providing the actor with CMD reverse shell over HTTP. The DLL shares\r\ncode similarities to exile-RAT, a tool associated with Pirate Panda. Pirate Panda is an APT backed by China and\r\nknown for targeting government and political organisations.\r\nPirate Panda has reportedly focused primarily on issues surrounding territorial conflicts in the South China Sea [1].\r\nAs Da Nang lies on the Coast of Vietnam, opposite the Paracel Islands (an area of territorial dispute), this may\r\nprovide some understanding of why Pirate Panda would consider targeting this municipality.\r\n[2]\r\nThe phishing email and lure document observed suggest that the employees targeted likely work within a\r\ngovernment-run data center. Such attacks are consistent with other regional APT campaigns [3]. If Pirate Panda\r\nwere to compromise a government-run data center, it would have access to vast amounts of sensitive information.\r\nTargeted Phishing\r\nIn the screenshot below, the phishing email shown was sent by a government employee to another government\r\nemployee. The intended victim had a “danang.gov.vn” appended to the email address, as seen in the email\r\nheaders.\r\nPhishing email\r\nFigure 1, Phishing email\r\nThe subject header is “Cập nhật lịch trực lễ 30/4 và ⅕,” which Google translates as “Updated live schedule 30_4\r\nand 1_5.eml.” The live schedule appeared to be for the dates of April 30 and May 1, which may indicate that the\r\nlure theme was related to events on those days. As both 30 April and 1 May are Vietnamese national holidays, it is\r\nplausible the theme related to those events, although we cannot confirm that hypothesis based on available data.\r\n30 April is “Reunification Day,” marking the unification between North and South Vietnam in 1975\r\nMay is Vietnam’s national “Labour Day” holiday, which has political associations with communism and\r\nthe working class\r\nEmail header for phishing sample\r\nFigure 2, Email header for phishing sample\r\nhttps://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z\r\nPage 1 of 5\n\nWe assess that the phishing email likely came from a genuine internal mailbox, as Microsoft Exchange\r\ncategorised it as “Internal” and the IP address in the email header 10.196.132.154 was from an internal private\r\nnetwork. If the originating email account was associated with a real employee, that employee was likely\r\ncompromised previously, or they are conducting internal pentesting.\r\nAn open-source search of both email addresses only located information about the victim email address in an\r\nonline spreadsheet titled “Công viên phần mềm Đà Nẵng,” which Google translates to “Da Nang Software Park.”\r\nWe were unable to determine what if any link exists between the government employees listed and the park. The\r\nspreadsheet contained email addresses, telephone numbers and possible job titles for Da Nang government\r\nemployees, with the victim’s job title translating to “Expert”. The spreadsheet was hosted on dsp.vn, a\r\ngovernment-owned site that described the Da Nang IT Infrastructure Development Center as having been\r\nestablished under the People's Committee of Da Nang City, a non-business unit under the Department of\r\nInformation and Danang media. [4]\r\nlocation of Da Nang\r\nFigure 3, location of Da Nang\r\nDa Nang lies on the coast across from the Paracel Islands, an area of territorial dispute [5]. in March 2020, the\r\nUSS Theodore Roosevelt visited the port of Da Nang to commemorate the relationship between Vietnam and the\r\nUnited States [6]. According to press reporting, ”Washington has placed a high priority on improving its defense\r\nties with Vietnam recently as part of President Donald Trump’s National Defense Strategy, which prioritizes\r\nstrategic competition with China and countering its growing military capabilities in Asia.” [7]\r\nSince the outbreak of COVID-19, there has been an increase in naval activity in the South China Sea, including\r\nthe Chinese aircraft carrier Liaoning and US Navy ships patrolling the area; indications of ongoing regional\r\ntensions.\r\nMalicious Excel Document\r\nThe phishing email contains an attachment called “lich truc li,” which translates as “office schedule.”\r\nScreenshot of the malicious excel document\r\nFigure 4, Screenshot of the malicious excel document\r\nThe spreadsheet contained a table with three titles “bảng phân công trực trung tâm dữ liệu,” which translates as\r\n“Data Center assignment table,” “TRUNG TM PHÁT TRIỂN HẠ TẦNG ĐA NĂNG,” which translates as\r\n“Multi-infrastructure development center,” and “phòng hệ thống,” which translates as “system room.” This may\r\nsupport a hypothesis that the government employees work in a data center in the Da Nang Software Park. This\r\nspreadsheet is likely an employee schedule. Column B appears to hold employee names, whilst C \u0026 D correspond\r\nwith shift patterns laid out in rows 19-24. An open-source search suggests that the acronyms \"“TC1,” “TC2,” and\r\n“TC3” may refer to technology centers.\r\nWhen the Excel document is opened, two executables (utilman.exe and mpsvc.dll) will be dropped at folder\r\n%AppData%MicrosoftCorporation. Utilman.exe is Windows Defender executable MsMpeng.exe. The attacker is\r\nemploying a DLL Side-Loading technique using a legitimate security product to load a malicious dll [8]. This is a\r\nhttps://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z\r\nPage 2 of 5\n\ncommon technique for a variety of threat actors and groups. A shortcut for utilman.exe is then created at the\r\nstartup folder so that the dropped files execute during the next reboot of the machine and communicate with a\r\ncommand and control (C2).\r\nprocess graph\r\nFigure 5, process graph\r\nMpsvc.dll initially makes a number of DNS requests to “dns.google” (8.8.8.8 and 8.8.4.4) which is Google’s\r\npublic DNS service. The domain name resolved as skypechatvideo[.]online.\r\npcap file for mpsvc.dll\r\nFigure 6, pcap file for mpsvc.dll\r\nAfter communicating to Google DNS, the victim machine communicates with the C2 skypechatvideo[.]online and\r\nsends the following GET request:\r\nhttp://skypechatvideo[.]online/wwwlib/title.php?\r\nID=NzhERjJFQjgtNDk5RC03ODQ0LTlCNzctM0U2QUVBREYyNEU4:U1Q=\r\nThe C2 was hosted on an Apache server running PHP, and communicated with the victim machine over port\r\n49927. The domain skypechatvideo[.]online, which was registered at IP address 185.244.150[.]4 on April 20, 2020\r\nwith Registrar NameSilo, was using a privacy service that obfuscated the registrant information. Additionally,\r\naccording to RiskIQ, only one other domain hosted on the IP address 185.244.150[.]4: onlinedocumentviewer[.]us\r\nwhich was first seen in July 2018. The small number of domains suggests the infrastructure is owned rather than\r\nshared, and the long period between the domains makes the relationship between them questionable.\r\nThe dropped executable mpsvc.dll, although containing a large quantity of unique code, was genetically similar to\r\nexile-RAT and keyboy; both are RATs Pirate Panda deploys. It is likely that the threat actors modified and\r\ndeveloped the code since it was last used. The dll has a compilation date of 22 April 2020, which is two days after\r\nthe c2 domain was registered, and the phishing email was sent on 27 April 2020. exile-RAT has been observed\r\nusing the same DLL Sideloading technique, using a legitimate security product to load a malicious dll. In this\r\ninstance, Windows Defender is being used.\r\nConclusion\r\nThe phishing email and the lure document suggest that the attack was crafted to target government employees\r\nworking at a data centre, which is consistent with previous data center targeting by other campaigns attributed to\r\nAPTs [9]. If the phishing email was sent by a real employee, it is possible that members of the Da Nang\r\ngovernment have already been compromised, but were not the targets of interest or didn't have the required access\r\nto desired information. It is possible that the national holidays are being used as a lure, because the threat actors\r\nmay have an imminent desire for lateral movement and access to data. While Anomali has not been able to figure\r\nout what information the threat actors are attempting to obtain, if an attacker were to compromise a government-run data center, it would have access to vast amounts of sensitive information. Read more about People’s Republic\r\nof China (PRC) in this cybersecurity profile.\r\nhttps://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z\r\nPage 3 of 5\n\nHow Anomali Helps\r\nThe Anomali Threat Research Team provides actionable threat intelligence that helps customers, partners, and the\r\nsecurity community to detect and mitigate the most serious threats to their organizations. The team frequently\r\npublishes threat research in the form of white papers, blogs, and bulletins that are made available to the security\r\ncommunity, general public, and news organizations. Intelligence and bulletins about threat actors and related\r\nIndicators of Compromise (IOCs) are integrated directly into Anomali Altitude customers’ security infrastructures\r\nto enable faster and more automated detection, blocking, and response. For more information on how Anomali\r\ncustomers gain integrated access to threat research, visit: https://www.anomali.com/products.\r\nEndnotes\r\n[1]\r\n CrowdStrike, “CrowdStrike: Ongoing Pirate Panda operations using current event themes”, published March\r\n2nd 2020, accessed April 29th 2020, https://www.scribd.com/document/451284814/CrowdStrike-Ongoing-Pirate-Panda-operations-using-current-event-themes.\r\n[2]\r\n Minnie Chan, “Chinese military lashes out at American warship’s ‘intrusion’ in South China Sea”, South China\r\nMorning Post, published April 28th 2020, accessed April 28th 2020,\r\nhttps://www.scmp.com/news/china/diplomacy/article/3081970/chinese-military-lashes-out-american-warships-intrusion-south.\r\n[3]\r\n Denis Legezo, “Chinese Cyber-Espionage Group Hacked Government Data Center“, Kasperksy, published\r\nJune 15th 2018, accessed April 28th 2020, https://securelist.com/luckymouse-hits-national-data-center/86083/.\r\n[4]\r\n General Administrative Office, “Da Nang IT Infrastructure Development Center”, published November 23rd\r\n2017, accessed April 28th 2020, https://dsp.vn/chi_tiet-6420.\r\n[5]\r\n Minnie Chan, “Chinese military lashes out at American warship’s ‘intrusion’ in South China Sea”, South China\r\nMorning Post, published April 28th 2020, accessed April 28th 2020,\r\nhttps://www.scmp.com/news/china/diplomacy/article/3081970/chinese-military-lashes-out-american-warships-intrusion-south.\r\n[6]\r\n U.S. Embassy and Consulate in Vietnam, “Theodore Roosevelt Strike Group Completes Port Visit to Da Nang\r\nto Commemorate 25 Years of Diplomatic Relations“, published March 11th 2020, accessed April 28 2020,\r\nhttps://vn.usembassy.gov/theodore-roosevelt-strike-group-completes-port-visit-to-da-nang-to-commemorate-25-\r\nyears-of-diplomatic-relations/.\r\n[7]\r\n Benjamin Wilhelm, “Could China’s Aggression in the South China Sea Boost U.S.-Vietnam Relations?”, World\r\nPolitics Review, published April 8th 2020, accessed April 28th 2020, https://www.worldpoliticsreview.com/trend-lines/28669/could-china-s-aggression-in-the-south-china-sea-boost-u-s-vietnam-relations.\r\n[8]\r\n Marcus Pietro, “DLL Side-Loading for Fun (and Profit?) - Day 4”, Marpie , published January 4th 2019,\r\naccessed April 28th 2020, https://www.a12d404.net/security/2019/01/04/side-loading-fun-4.html.\r\nhttps://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z\r\nPage 4 of 5\n\n[9]\r\n Denis Legezo, “Chinese Cyber-Espionage Group Hacked Government Data Center“, Kasperksy, published\r\nJune 15th 2018, accessed April 28th 2020, https://securelist.com/luckymouse-hits-national-data-center/86083/.\r\nAppendix A: Indicators of Compromise (IOCs)\r\nIndicator of Compromise Description\r\ncd075ddb7cbe9bfb9ca955be605a6f622d83bcef7eded2b495c653e86fe9b59e\r\nPhishing\r\nEmail Sample\r\n9736c6230909c71a6010d6005a86ffd60f5b9cfa2fdeae2a78084ffe48dc01dc\r\nExcel\r\ndocument lure\r\nsample\r\n80C3E22B640B47E0C41F4185F091E2C523A9EF291A75B7007303E2267B8D68C5\r\nUtilman.exe -\r\nMsMpEng.exe\r\nwhich is\r\nWindows\r\nDefender\r\n(legitimate\r\nsecurity tool)\r\nA369FEE3B83C2D2534C48FDFAC8D03A266809AAA28ACE6B6002EAB57CC14EDD1\r\nMpsvc.dll -\r\nmalicious\r\nDLL\r\nskypechatvideo[.]online C\u0026C Domain\r\nSource: https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-d\r\nata-center#When:15:00:00Z\r\nhttps://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z" ], "report_names": [ "anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434050, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae099d9e7405f60814eb9b880caba39e16f8119d.pdf", "text": "https://archive.orkl.eu/ae099d9e7405f60814eb9b880caba39e16f8119d.txt", "img": "https://archive.orkl.eu/ae099d9e7405f60814eb9b880caba39e16f8119d.jpg" } }