{ "id": "9b70c69f-9794-4430-a052-68955e45b63d", "created_at": "2026-04-06T00:21:56.407997Z", "updated_at": "2026-04-10T03:33:22.271859Z", "deleted_at": null, "sha1_hash": "ae45e11605ada416b2bbee9670c2551a7625d5c7", "title": "New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 465437, "plain_text": "New Milestones for Deep Panda: Log4Shell and Digitally Signed\r\nFire Chili Rootkits\r\nPublished: 2022-03-30 · Archived: 2026-04-05 17:32:12 UTC\r\nDuring the past month, FortiEDR detected a campaign by Deep Panda, a Chinese APT group. The group exploited\r\nthe infamous Log4Shell vulnerability in VMware Horizon servers. The nature of targeting was opportunistic\r\ninsofar that multiple infections in several countries and various sectors occurred on the same dates. The victims\r\nbelong to the financial, academic, cosmetics, and travel industries.\r\nFollowing exploitation, Deep Panda deployed a backdoor on the infected machines. Following forensic leads from\r\nthe backdoor led us to discover a novel kernel rootkit signed with a stolen digital certificate. We found that the\r\nsame certificate was also used by another Chinese APT group, named Winnti, to sign some of their tools.\r\nIn this blog, we share our analysis of the flow of infection, the backdoor, and new rootkit, along with our\r\nattribution of this campaign to these Chinese nation-state threat actors.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows Users\r\nImpact: Collects sensitive information from victim machines\r\nSeverity Level: Critical\r\nChain of Attack\r\nWhile examining customer alerts and telemetry, we noticed several infiltrations into victim networks that were\r\nachieved via a Log4Shell exploitation of vulnerable VMware Horizon servers. These attacks spawned a new\r\nPowerShell process to download and execute a chain of scripts that ended with the installation of a malicious\r\nDLL. \r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 1 of 19\n\nFigure 1: Flow of events from Log4Shell exploitation to execution of the final payload\r\nThe encoded PowerShell command downloads another PowerShell script from a remote server and executes it.\r\nFigure 2: The decoded PowerShell command\r\nThe next stage PowerShell script downloads three additional files from the same server: 1.bat, syn.exe and 1.dll.\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 2 of 19\n\nFigure 3: Content of the p.txt PowerShell script downloaded from the server\r\nThe script then executes 1.bat, which in turn executes syn.exe and proceeds to delete all three files from the disk.\r\nFigure 4: Content of 1.bat script downloaded from the server\r\nsyn.exe is a program that loads its first command-line argument using LoadLibrary, in this case, 1.dll. The 1.dll\r\nmodule is the final payload, a backdoor that we have dubbed Milestone. Its code is based on the leaked source\r\ncode of Gh0st RAT/Netbot Attacker and is packed with Themida.\r\nThe backdoor copies itself to %APPDATA%\\newdev.dll and creates a service named msupdate2 by creating the\r\nservice entry directly in the registry. Several other service names and descriptions have been observed among\r\ndifferent samples.\r\nFigure 5: “msupdate2” service registered by Milestone\r\nWhile it has the same name as the legitimate Microsoft newdev.dll, it has only two of the real newdev.dll's exports\r\nplus an additional ServiceMain export.\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 3 of 19\n\nFigure 6: Exports of the malicious Milestone\r\nOverall, the backdoor has capabilities similar to Gh0st RAT’s, with notable differences. Its C2 communication is\r\nuncompressed, unlike Gh0st RAT communication which is zlib-compressed. There are differences in commands\r\nas well. For example, in the CMD command, some variants first copy cmd.exe to dllhost.exe to avoid detection by\r\nsecurity products that monitor CMD executions. Additionally, the backdoor supports a command that sends\r\ninformation about the current sessions on the system to the server. This command does not exist in the original\r\nGh0st RAT source code.\r\nAmong the many backdoor samples we hunted down, there are two distinguishable versions: binaries compiled in\r\n2016 contain the version string MileStone2016, while those compiled in 2017 contain MileStone2017. The\r\nsamples used in the recent infections we detected are only the 2017 variants.\r\nThere are several differences between the 2016 and 2017 Milestones. First, 2017 Milestones are typically packed\r\nwith Themida, while 2016 ones are unpacked. Secondly, although 2016 Milestones have plausible timestamps, all\r\n2017 Milestones share an identical timestamp, which leads us to believe they are forged. Combined with the fact\r\nthat 2017 backdoors are used in attacks to this day, it is uncertain whether they were compiled in 2017 or much\r\nlater.\r\nThe two versions also slightly differ in commands and communication. 2016 Milestones apply XOR encryption to\r\ntheir communication, as well as support a command to execute as a new user with administrator privileges. To do\r\nso, the backdoor first creates a new administrator user on the system, with the username ANONYMOUS and the\r\npassword MileSt0ne2@16. It then executes another instance of itself as that user with CreateProcessAsUser and\r\nproceeds to remove the user from the system immediately thereafter.\r\nA Stone’s Throw Away\r\nIn addition to the backdoors, we obtained a third type of sample – a dropper. It writes three files to the disk:\r\nBenign executable – %APPDATA%\\syn.exe\r\nMilestone loader – %APPDATA%\\newdev.dll\r\nDriver – C:\\Windows\\system32\\drivers\\crtsys.sys\r\nThe payloads above are stored XOR-encrypted and LZMA-compressed. The XOR key is a hardcoded DWORD\r\nthat changes between samples.\r\nThe dropper carries two builds of the driver for 32-bit and 64-bit systems. Using the Service Control Manager\r\n(SCM) API, it installs the build compliant with the operating system architecture as a driver named FSFilter-Min.\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 4 of 19\n\nThe dropper patches the .data section of the loader binary to add its configuration before it writes it to disk. Next,\r\nthe dropper executes syn.exe, a benign executable signed by Synaptics, in order to side-load the newdev.dll loader\r\nmodule.\r\nThe loader also contains a XOR-encrypted and LZMA-compressed payload, which is a Milestone backdoor. It\r\ndecrypts the configuration with XOR 0xCC and, like the dropper, patches the backdoor’s .data section with it.\r\nThe configuration contains the backdoor’s version, C2 server address and service parameters.\r\nFinally, the loader reflectively loads the Milestone backdoor and calls its exports.\r\nFigure 7: Example of a decrypted configuration\r\nFire Chili Rootkit\r\nAs part of our research, we have collected four driver samples — two pairs of 32-bit and 64-bit samples. One pair\r\nwas compiled in early August 2017 and the second pair was compiled ten days later. All four driver samples are\r\ndigitally signed with stolen certificates from game development companies, either the US-based Frostburn Studios\r\nor the Korean 433CCR Company (433씨씨알 주식회사). The signatures made with Frostburn Studios’ certificate\r\nare even timestamped.\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 5 of 19\n\nFigure 8: Digital signature of a crtsys.sys driver\r\nTwo of the samples are on VirusTotal and have a very low detection rate.\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 6 of 19\n\nFigure 9: Detection rates of the rootkit samples from VirusTotal\r\nThe rootkit starts by ensuring the victim machine is not running in safe mode. It then checks the operating system\r\nversion. The rootkit uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel\r\nstructures and objects, for its operations. For this reason, it relies on specific OS builds as otherwise it may cause\r\nthe infected machine to crash. In general, the latest supported build is Windows 10 Creators Update (Redstone 2),\r\nreleased in April 2017.\r\nThe purpose of the driver is to hide and protect malicious artifacts from user-mode components. This includes four\r\naspects: files, processes, registry keys and network connections. The driver has four global lists, one for each\r\naspect, that contain the artifacts to hide. The driver’s IOCTLs allow dynamic configuration of the lists through its\r\ncontrol device \\Device\\crtsys. As such, the dropper uses these IOCTLs to hide the driver’s registry key, the loader\r\nand backdoor files, and the loader process.\r\nIOCTL Action Description\r\n0xF3060000 Hide file Add a path to global file list\r\n0xF3060004 Stop hiding file Remove a path from global file list\r\n0xF3060008 Hide\\protect process Add a file path or PID to global process list\r\n0xF306000C Stop hiding\\protecting process Remove a file path or PID from global process list\r\n0xF3060010 Hide registry key Add a key to global registry list\r\n0xF3060014 Stop hiding registry key Remove a key from global registry list\r\n0xF3060018 Hide network connections Add a file path or port number to global network list\r\n0xF306001C\r\nStop hiding network\r\nconnections\r\nRemove a file path or port number from global network\r\nlist\r\nFiles\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 7 of 19\n\nThe rootkit implements a filesystem minifilter using code based on Microsoft’s official driver code samples. Prior\r\nto registering the minifilter instance, it dynamically creates an instance in the registry named\r\nSfdev32TopInstance with altitude 483601.\r\nThe rootkit sets only one callback for a postoperation routine for IRP_MJ_DIRECTORY_CONTROL. When it\r\nreceives an IRP with a minor function of IRP_MN_QUERY_DIRECTORY and a filename from the global file\r\nlist, the callback changes the filename to “.” and the filename length to 0 (in the\r\nFILE_BOTH_DIR_INFORMATION structure).\r\nThe global file list is initialized with the path of the driver by default (*\\SYSTEM32\\DRIVERS\\CRTSYS.SYS).\r\nProcesses\r\nThere are two mechanisms pertaining to processes:\r\nPreventing process termination.\r\nHiding a process.\r\nTo prevent the termination of a process, the rootkit denies the PROCESS_TERMINATE access right of the\r\nprocesses it protects. Using ObRegisterCallbacks, it registers a preoperation callback routine that triggers\r\nwhenever a handle to a process or thread is created or duplicated in the system. When the handle access originates\r\nfrom user-mode and the image path or PID of the handle target are in the global process list, the driver removes\r\nthe PROCESS_TERMINATE permission from the DesiredAccess parameter. This results in restricting user-mode\r\nprocesses from acquiring the permissions needed to terminate the threat actor’s malicious processes using standard\r\nAPIs.\r\nFigure 10: Unsetting the PROCESS_TERMINATE bit of DesiredAccess\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 8 of 19\n\nTo hide a process, the rootkit monitors all newly created processes on the system by registering a callback using\r\nthe PsSetCreateProcessNotifyRoutine API. Whenever a new process is created on the system, the rootkit checks if\r\nits path is in the global process list. If so, the process is removed from the ActiveProcessLinks list of the\r\nEPROCESS structure, which is a circular doubly-linked list of all running processes on the system. The driver\r\nremoves the process’s list entry from ActiveProcessLinks by linking its Flink (the next entry) to its Blink (the\r\nprevious entry). As a result, the process is hidden from utilities such as Task Manager.\r\nFigure 11: Removing a process from ActiveProcessLinks\r\nSince the EPROCESS structure changes between Windows builds, the rootkit resolves the ActiveProcessLinks\r\noffset dynamically during runtime. It traverses the process’s EPROCESS structure, comparing each member to its\r\nPID, to locate the offset of the UniqueProcessId field. When found, the ActiveProcessLinks offset is also easily\r\nlocated as it is the next field in the EPROCESS structure. The older rootkit samples use the hiding mechanism on\r\nWindows 8 and below, while the newer samples use it on only Windows 7 and below.\r\nBy default, the global process list is initialized with the path *\\qwerty.exe. However, we have not observed any\r\nfile with this name related to the campaign.\r\nRegistry Keys\r\nThe rootkit hides registry keys from users using Microsoft’s Registry Editor. The code is based on an open-source project published by a Chinese developer.\r\nThe HHIVE-\u003eGetCellRoutine functions of keys in the global registry keys list are replaced with a filter function.\r\nWhen the path of the querying process is *\\WINDOWS\\REGEDIT.EXE, the function simply returns 0 in place of\r\nthe key node.\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 9 of 19\n\nBy default, the global registry list is initialized with the rootkit’s registry key\r\n(\\REGISTRY\\MACHINE\\SYSTEM\\CURRENTCONTROLSET\\SERVICES\\CRTSYS).\r\nNetwork Connections\r\nThe rootkit is capable of hiding TCP connections from tools such as netstat. Much of the code for this part seems\r\nto be copied from an open-source project.\r\nThe rootkit attaches to nsiproxy.sys’s device stack and intercepts IOCTLs of type IOCTL_NSI_GETALLPARAM\r\n(0x12000B) that are sent to it. This IOCTL is used to retrieve information about the active network connections on\r\nthe system. When it is intercepted, the driver replaces the IoCompletion routine with a function that filters the\r\nresults to hide its own network connections.\r\nIOCTL_NSI_GETALLPARAM returns the information about network connections in an NSI_PARAM structure.\r\nNSI_PARAM contains connection data such as IP, port, connection state, and process IDs of the executables in\r\ncharge of creating the connection. The filter function iterates this structure, searching for connections involving a\r\nprocess or port number from its global network list. All identified connections are removed from the structure,\r\nrendering them hidden from the process that sent the IOCTL. It is interesting to note that the newer build of the\r\n64-bit rootkit added support to filter IOCTLs from 32-bit processes as well.\r\nIf attaching to nsiproxy.sys fails, the rootkit attaches to \\Device\\Tcp instead, intercepting\r\nIOCTL_TCP_QUERY_INFORMATION_EX (0x120003) and hiding network connections in a similar manner.\r\nBy default, the global network list is initialized with the following process paths:\r\n*\\SYN.EXE\r\n*\\SVCHOST.EXE\r\nAs a result, TCP connections of all services running under svchost.exe are hidden, not just the ones of the\r\nMilestone backdoor.\r\nAttribution\r\nThe Milestone backdoor is actually the same Infoadmin RAT that was used by Deep Panda back in the early\r\n2010s, referenced in blogs from 2013 and 2015. Although many backdoors are based on Gh0st RAT code,\r\nMilestone and Infoadmin are distinguishable from the rest. Besides having profoundly similar code, both\r\nbackdoors incorporate identical modifications of Gh0st RAT code not seen in other variants.\r\nBoth backdoors share a XOR encryption function for encrypting communication and have abandoned the zlib\r\ncompression of the original Gh0st RAT. Both also modified Gh0st RAT code in an identical way, specifically the\r\nCMD and screen capture functions. Moreover, the backdoors share two commands that are not present in other\r\nGh0st RAT variants: the session enumeration command and the command to execute as an administrative user.\r\nAdditional evidence indicates affiliation to Winnti. The rootkits are digitally signed with certificates stolen from\r\ngame development companies, which is a known characteristic of Winnti. Searching for more files signed with\r\none of the certificates led to a malicious DLL uploaded to VirusTotal with the name winmm.dll. Further\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 10 of 19\n\nexamination revealed it as the same tool referenced in a blog about Winnti that was published in 2013. Yet another\r\nconnection to Winnti is based on a C2 domain. Two of the newdev.dll loaders are configured with the server\r\ngnisoft[.]com, which was attributed to Winnti in 2020.\r\nConclusion\r\nIn this blog, we have attributed a series of opportunistic Log4Shell infections from the past month to Deep Panda.\r\nThough previous technical publications on Deep Panda were published more than half a decade ago, this blog also\r\nrelates to a more recent report about the Milestone backdoor, which shows that their operations have continued\r\nthroughout all these years.\r\nFurthermore, we introduced the previously unknown Fire Chili rootkit and two compromised digital signatures,\r\none of which we also directly linked to Winnti. Although both Deep Panda and Winnti are known to use rootkits\r\nas part of their toolset, Fire Chili is a novel strain with a unique code base different from the ones previously\r\naffiliated with the groups.\r\nThe reason these tools are linked to two different groups is unclear at this time. It’s possible that the groups’\r\ndevelopers shared resources, such as stolen certificates and C2 infrastructure, with each other. This may explain\r\nwhy the samples were only signed several hours after being compiled.\r\nFortinet Solutions\r\nFortiEDR detects and blocks these threats out-of-the-box without any prior knowledge or special configuration. It\r\ndoes this using its post-execution prevention engine to identify malicious activities:\r\nFigure 12: FortiEDR blocking communication for download \u0026 execute after Log4Shell exploitation\r\nFigure 13: FortiEDR blocking the backdoor from communicating with the C2 post-infection\r\nAll network IOCs have been added to the FortiGuard WebFiltering blocklist.\r\nThe FortiGuard Antivirus service engine is included in Fortinet’s FortiGate, FortiMail, FortiClient, and FortiEDR\r\nsolutions. FortiGuard Antivirus has coverage in place as follows:\r\nW32/Themida.ICD!tr\r\nBAT/Agent.6057!tr\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 11 of 19\n\nW64/Agent.A10B!tr\r\nW32/Agent.0B37!tr\r\nW32/GenKryptik.FQLT!tr\r\nW32/Generic.AC.F834B!tr\r\nW32/GenKryptik.ATCY!tr\r\nW32/Generic.AP.33C2D2!tr\r\nW32/GenKryptik.AQZZ!tr\r\nW32/Generic.HCRGEJT!tr\r\nW32/Agent.DKR!tr\r\nW32/Agent.QNP!tr\r\nW32/Agent.RXT!tr\r\nW32/Agentb.BXIQ!tr\r\nW32/Agent.DA3E!tr\r\nW32/Agent.D584!tr\r\nW32/Agent.0F09!tr\r\nW32/Agent.3385!tr\r\nW64/Agent.D87B!tr.rkit\r\nW32/Agent.69C1!tr.rkit\r\nIn addition, as part of our membership in the Cyber Threat Alliance, details of this threat were shared in real-time\r\nwith other Alliance members to help create better protections for customers.\r\nAppendix A: MITRE ATT\u0026CK Techniques\r\nID Description\r\nT1190 Exploit Public-Facing Application\r\nT1569.002 System Services: Service Execution\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1027 Obfuscated Files or Information: Software Packing\r\nT1041 Exfiltration Over C2 Channel\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 12 of 19\n\nT1082 System Information Discovery\r\nT1036 Masquerading\r\nT1083 File and Directory Discovery\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nT1592 Gather Victim Host Information\r\nT1588.003 Obtain Capabilities: Code Signing Certificates\r\nT1014 Rootkit\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nT1620 Reflective Code Loading\r\nT1113 Screen Capture\r\nAppendix B: IOCs\r\nIOC Type Details\r\nece45c25d47ba362d542cd0427775e68396bbbd72fef39823826690b82216c69 SHA256 Backdoor\r\n517c1baf108461c975e988f3e89d4e95a92a40bd1268cdac385951af791947ba SHA256 Backdoor\r\na573a413cbb1694d985376788d42ab2b342e6ce94dd1599602b73f5cca695d8f SHA256 Backdoor\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 13 of 19\n\n9eeec764e77bec58d366c2efc3817ed56371e4b308e94ad04a6d6307f2e12eda SHA256 Backdoor\r\nd005a8cf301819a46ecbb1d1e5db0bf87951808d141ada5e13ffc4b68155a112 SHA256 Backdoor\r\n69c69d71a7e334f8ef9d47e7b32d701a0ecd22ce79e0c11dabbc837c9e0fedc2 SHA256 Backdoor\r\ndfd2409f2b0f403e82252b48a84ff4d7bc3ebc1392226a9a067adc4791a26ee7 SHA256 Backdoor\r\n07c87d036ab5dca9947c20b7eb7d15c9434bb9f125ac564986b33f6c9204ab47 SHA256 Backdoor\r\nc0a2a3708516a321ad2fd68400bef6a3b302af54d6533b5cce6c67b4e13b87d3 SHA256 Backdoor\r\nf8b581393849be5fc4cea22a9ab6849295d9230a429822ceb4b8ee12b1d24683 SHA256 Backdoor\r\n14930488158df5fca4cba80b1089f41dc296e19bebf41e2ff6e5b32770ac0f1e SHA256 Backdoor\r\na9fa8e8609872cdcea241e3aab726b02b124c82de4c77ad3c3722d7c6b93b9b5 SHA256 Backdoor\r\ne92d4e58dfae7c1aadeef42056d5e2e5002814ee3b9b5ab1a48229bf00f3ade6 SHA256 Backdoor\r\n855449914f8ecd7371bf9e155f9a97969fee0655db5cf9418583e1d98f1adf14 SHA256 Backdoor\r\na5fd7e68970e79f1a5514630928fde1ef9f2da197a12a57049dece9c7451ed7b SHA256 Backdoor\r\nf5eb8949e39c8d3d70ff654a004bc8388eb0dd13ccb9d9958fd25aee47c1d3ae SHA256 Backdoor\r\n64255ff02e774588995b203d556c9fa9e2c22a978aec02ff7dea372983b47d38 SHA256 Backdoor\r\nb598cb6ba7c99dcf6040f7073fe313e648db9dd2f6e71cba89790cc45c8c9026 SHA256 Backdoor\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 14 of 19\n\n2d252c51a29f86032421df82524c6161c7a63876c4dc20faffa47929ec8a9d60 SHA256 Backdoor\r\n2de6fb71c1d5ba0cd8d321546c04eaddddbf4a00ce4ef6ca6b7974a2a734a147 SHA256 Backdoor\r\nbd5d730bd204abaddc8db55900f307ff62eaf71c0dc30cebad403f7ce2737b5c SHA256 Backdoor\r\n412464b25bf136c3780aff5a5a67d9390a0d6a6f852aea0957263fc41e266c8b SHA256 Backdoor\r\n0d096d983d013897dbe69f3dae54a5f2ada8090b886ab68b74aa18277de03052 SHA256 Backdoor\r\ncfba16fa9aa7fdc7b744b2832ef65558d8d9934171f0d6e902e7a423d800b50f SHA256 Backdoor\r\na71b3f06bf87b40b1559fa1d5a8cc3eab4217f317858bce823dd36302412dabc SHA256 Backdoor\r\n235044f58c801955ed496f8c84712fdb353fdd9b6fda91886262234bdb710614 SHA256 Backdoor\r\ne1a51320c982179affb26f417fbbba7e259f819a2721ab9eb0f6d665b6ea1625 SHA256 Backdoor\r\nd1be98177f8ae2c64659396277e7d5c8b7dba662867697feb35282149e3f3cbb SHA256 Backdoor\r\nab3470a45ec0185ca1f31291f69282c4a188a46e SHA1 Backdoor\r\n10de515de5c970385cd946dfda334bc10a7b2d65 SHA1 Backdoor\r\neb231f08cce1de3e0b10b69d597b865a7ebac4b3 SHA1 Backdoor\r\n66c3dfcb2cc0dfb60e40115e08fc293276e915c2536de9ed6a374481279b852b SHA256 Loader\r\n73640e8984ad5e5d9a1fd3eee39ccb4cc695c9e3f109b2479296d973a5a494b6 SHA256 Loader\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 15 of 19\n\n7777bd2bdeff2fd34a745c350659ee24e330b01bcd2ee56d801d5fc2aceb858c SHA256 Loader\r\n8bf4e301538805b98bdf09fb73e3e370276a252d132e712eae143ab58899763e SHA256 Loader\r\n18b2e1c52d0245824a5bac2182de38efb3f82399b573063703c0a64252a5c949 SHA256 Loader\r\nd5c1a2ca8d544bedb0d1523db8eeb33f0b065966f451604ff4715f600994bc47 SHA256 ZIP\r\n0939b68af0c8ee28ed66e2d4f7ee6352c06bda336ccc43775fb6be31541c6057 SHA256 BAT\r\n0595a719e7ffa77f17ac254134dba2c3e47d8c9c3968cda69c59c6b021421645 SHA256 Dropper\r\n7782fdc84772c6c5c505098707ced6a17e74311fd5c2e2622fbc629b4df1d798 SHA256 Dropper\r\n18751e47648e0713345552d47752209cbae50fac07895fc7dd1363bbb089a10b SHA256\r\nDriver 64-\r\nbit\r\ne4e4ff9ee61a1d42dbc1ddf9b87223393c5fbb5d3a3b849b4ea7a1ddf8acd87b SHA256\r\nDriver 64-\r\nbit\r\n395dbe0f7f90f0ad55e8fb894d19a7cc75305a3d7c159ac6a0929921726069c1 SHA256\r\nDriver 32-\r\nbit\r\nbefc197bceb3bd14f44d86ff41967f4e4c6412604ec67de481a5e226f8be0b37 SHA256\r\nDriver 32-\r\nbit\r\n1c617fd9dfc068454e94a778f2baec389f534ce0faf786c7e24db7e10093e4fb SHA256\r\nLegitimate\r\nSynaptics\r\nSetup.exe\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 16 of 19\n\nbde7b9832a8b2ed6d33eb33dae7c5222581a0163c1672d348b0444b516690f09 SHA256 syn.exe\r\n8b88fe32bd38c3415115592cc028ddaa66dbf3fe024352f9bd16aed60fd5da3e SHA256 syn.exe\r\nba763935528bdb0cc6d998747a17ae92783e5e8451a16569bc053379b1263385 SHA256 syn.exe\r\n9908cb217080085e3467f5cedeef26a10aaa13a1b0c6ce2825a0c4912811d584 SHA256 syn.exe\r\nc6bcde5e8185fa9317c17156405c9e2c1f1887d165f81e31e24976411af95722 SHA256 winmm.dll\r\n3403923f1a151466a81c2c7a1fda617b7fbb43b1b8b0325e26e30ed06b6eb936 SHA256 Backdoor\r\n9BCD82563C72E6F72ADFF76BD8C6940C6037516A\r\nCertificate\r\nthumbprint\r\n-\r\n2A89C5FD0C23B8AF622F0E91939B486E9DB7FAEF\r\nCertificate\r\nthumbprint\r\n-\r\n192.95.36[.]61 Network -\r\nvpn2.smi1egate[.]com Network -\r\nsvn1.smi1egate[.]com Network -\r\ngiga.gnisoft[.]com Network -\r\ngiga.gnisoft[.]com Network -\r\n104.223.34[.]198 Network -\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 17 of 19\n\n103.224.80[.]76 Network -\r\nhxxp://104.223.34[.]198/111.php Network -\r\nhxxp://104.223.34[.]198/1dll.php Network -\r\nhxxp://104.223.34[.]198/syn.php Network -\r\nhxxp://104.223.34[.]198/p.txt Network -\r\nmsupdate2\r\nService\r\nname\r\n-\r\nWebService\r\nService\r\nname\r\n-\r\nalg\r\nService\r\nname\r\n-\r\nmsupdate\r\nService\r\nname\r\n-\r\nmsupdateday\r\nService\r\nname\r\n-\r\nDigaTrack\r\nService\r\nname\r\n-\r\ncrtsys.sys File name -\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 18 of 19\n\n%APPDATA%\\syn.exe File name -\r\n%APPDATA%\\newdev.dll File name -\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nhttps://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits" ], "report_names": [ "deep-panda-log4shell-fire-chili-rootkits" ], "threat_actors": [ { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434916, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae45e11605ada416b2bbee9670c2551a7625d5c7.pdf", "text": "https://archive.orkl.eu/ae45e11605ada416b2bbee9670c2551a7625d5c7.txt", "img": "https://archive.orkl.eu/ae45e11605ada416b2bbee9670c2551a7625d5c7.jpg" } }