{
	"id": "b54f57ed-0acd-4c24-8ac3-857e565cb2d8",
	"created_at": "2026-04-22T02:19:09.697691Z",
	"updated_at": "2026-04-22T02:20:04.506251Z",
	"deleted_at": null,
	"sha1_hash": "b68421916f3de1fc79c3b903d55321070efa23d8",
	"title": "Twisted Panda: Chinese APT espionage operation against Russian state-owned defense institutes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 203346,
	"plain_text": "Twisted Panda: Chinese APT espionage operation against Russian\r\nstate-owned defense institutes\r\nBy itayc\r\nPublished: 2022-05-19 · Archived: 2026-04-22 02:16:54 UTC\r\nIntroduction\r\nIn the past two months, we observed multiple APT groups attempting to leverage the Russia and Ukraine war as a\r\nlure for espionage operations. It comes as no surprise that Russian entities themselves became an attractive target\r\nfor spear-phishing campaigns that are exploiting the sanctions imposed on Russia by western countries. These\r\nsanctions have put enormous pressure on the Russian economy, and specifically on organizations in multiple\r\nRussian industries.\r\nCheck Point Research (CPR) details a targeted campaign that has been using sanctions-related baits to attack\r\nRussian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a\r\nlarger Chinese espionage operation that has been ongoing against Russian-related entities for several months. CPR\r\nresearchers estimate with high confidence that the campaign has been carried out by an experienced and\r\nsophisticated Chinese nation-state APT. In the below blog, the researchers reveal the tactics and techniques used\r\nby the threat actors and provide a technical analysis of the observed malicious stages and payloads, including\r\npreviously unknown loaders and backdoors with multiple advanced evasion and anti-analysis techniques.\r\nKey findings:\r\nCPR unveils a targeted campaign against at least two research institutes in Russia, whose primary expertise\r\nis the research and development of highly technological defense solutions. Research suggests that another\r\ntarget in Belarus, likely also related to the research field, received a similar spear-phishing email claiming\r\nthat the US is allegedly spreading a biological weapon.\r\nThe defense research institutes that we identified as targets of this attack belong to a holding company\r\nwithin the Russian state-owned defense conglomerate Rostec Corporation. It is Russia’s largest holding\r\ncompany in the radio-electronics industry and the specific targeted research institutes’ primary focus is the\r\ndevelopment and manufacturing of electronic warfare systems, military-specialized onboard radio-electronic equipment, air-based radar stations and means of state identification.\r\nThis campaign is a continuation of what CPR believes to be a long-running espionage operation against\r\nRussian-related entities that has been in operation since at least June 2021. The operation may still be\r\nongoing, as the most recent activity was observed in April 2022.\r\nThis activity was attributed with high confidence to a Chinese threat actor, with possible connections to\r\nStone Panda (aka APT10), a sophisticated and experienced nation-state-backed actor, and Mustang Panda,\r\nanother proficient China-based cyber espionage threat actor. CPR named this campaign Twisted Panda to\r\nreflect the sophistication of the tools observed and the attribution to China.\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 1 of 34\n\nThe hackers use new tools, which have not previously been described: a sophisticated multi-layered loader\r\nand a backdoor dubbed SPINNER. These tools are in development since at least March 2021 and use\r\nadvanced evasion and anti-analysis techniques such as multi-layer in-memory loaders and compiler-level\r\nobfuscations.\r\nInfection chain\r\nOn March 23, malicious emails were sent to several defense research institutes based in Russia. The emails, which\r\nhad the subject “ List of \u003ctarget institute name\u003e persons under US sanctions for invading Ukraine ”,\r\ncontained a link to an attacker-controlled site mimicking the Health Ministry of Russia minzdravros[.]com and\r\nhad a malicious document attached:\r\nFigure 1: Spear-phishing email sent to research institutions in Russia.\r\nOn the same day, a similar email was also sent to an unknown entity in Minsk, Belarus with the subject “ US\r\nSpread of Deadly Pathogens in Belarus ”. All the attached documents are crafted to look like official documents\r\nfrom the Russian Ministry of Health, bearing its official emblem and title:\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 2 of 34\n\nFigure 2: Screenshot of the lure document sent to research institutions in Russia.\r\nEach document downloads an external template from the URLs with a similar format, such as\r\nhttps://www.microtreely.com/support/knowledgebase/article/AIUZGAE7230Z[.]dotm . The external template\r\ncontains a macro code that imports several API functions from kernel32 ( LoadLibraryA , CreateFileA ,\r\nWriteFile , ReadFile , etc) and uses them to:\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 3 of 34\n\nWrite three files ( cmpbk32.dll , cmpbk64.dll , and INIT ) to the path: C:/Users/Public .\r\nLoad cmpbk32.dll or cmpbk64.dll (depending on the system OS architecture) and execute its exported\r\nfunction R1 .\r\nExecution of the exported function R1 finalizes the initialization of the malicious files. The malware creates a\r\nworking directory %TEMP%\\\\OfficeInit and copies to it INIT and cmpbk32.dll files, as well as a legitimate\r\n32-bit Windows executable cmdl32.exe from either System32 or SysWOW64 folder, depending on if the\r\noperating system is 32 or 64 bit.\r\nFigure 3: The simplified infection chain.\r\nThe Loader\r\nThe loader is a 32-bit DLL utilizing dynamic API resolving with name hashing for evasion and anti-analysis. The\r\nloader is not only able to hide its main functionality, but also avoid static detection of suspicious API calls by\r\ndynamically resolving them instead of using static imports.\r\nThe purpose of cmpbk32.dll is to load specific shellcode from the INIT file, depending on the infection stage,\r\nand run it. The INIT file contains two shellcodes: the first-stage shellcode runs the persistence and cleanup\r\nscript, and the second-stage shellcode is a multi-layer loader. The goal is to consecutively decrypt the other three\r\nfileless loader layers and eventually load the main payload in memory. To distinguish between the stages, the DLL\r\nentry point DllMain performs different actions based on the call reason.\r\nSetup Stage\r\nWhen the malicious document is closed, a PROCESS_DETACH event is triggered. The DLL executes a portion of the\r\nINIT file in charge of cleaning up the files created by the malicious document and creates a scheduled task for\r\npersistence:\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 4 of 34\n\nFigure 4: DLLMain PROCESS_DETACH event executes shellcode responsible for persistence and cleanup from\r\nINIT   \r\n \r\n Figure 5: Persistence and cleanup function\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 5 of 34\n\nLoader stage\r\nThe main loading process begins with the scheduled task running cmdl32.exe which loads the malicious DLL\r\ncmpbk32.dll . DLL sideloading by a legitimate process is a technique commonly used by threat actors; coupling\r\nit with a robust loading process can help evade modern anti-virus solutions as, in this case, the actual running\r\nprocess is valid and signed by Microsoft. Note that the cmpbk64.dll is not copied into the %TEMP%\\\\OfficeInit\r\nfolder. The 64-bit version of the DLL is only used in the initial infection stage by the 64-bit MS Word process, as\r\nthe 32-bit cmdl32.exe can only load 32-bit cmpbk32.dll .\r\nWhen the DLL is loaded, the PROCESS_ATTACH event is triggered and starts a sequence of operations. The\r\nsequence peels off multiple encrypted layers from the INIT file and eventually reveals and executes the final\r\npayload. It first reads an XOR-encrypted blob from the INIT file and decrypts it in memory using a simple XOR\r\nwith the key 0x9229 . The decrypted blob is a position-independent code and the first of the encrypted layers that\r\n“protects” the main payload.\r\nFigure 6: Layers of decryption performed by the loader to uncover the final payload.\r\nThis first layer is rather simple. It dynamically loads from Kernel32.dll the WinAPI functions that are essential for\r\nits work. Next, it begins a sequence of operations to uncover the second layer. It uses RC4 with the following\r\nhardcoded key: 0x1C, 0x2C, 0x66, 0x7C, 0x11, 0xCF, 0xE9, 0x7A, 0x99, 0x8B, 0xA3, 0x48, 0xC2, 0x03,\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 6 of 34\n\n0x07, 0x55 . It then decompresses the decrypted buffer using RtlDecompressBuffer and reveals the second\r\nlayer.\r\nFigure 7: Injection to msiexec.exe\r\nThe injected code begins by dynamically loading a PE file embedded inside and executing it from its entry point.\r\nSPINNER backdoor: technical analysis\r\nThe payload uses two compiler-level obfuscations:\r\nControl flow flattening: alters the code flow making it non-linear\r\nOpaque predicates: defines unused logic and causes the binary to perform needless calculations\r\nBoth methods make it difficult to analyze the payload, but together, they make the analysis painful, time-consuming, and tedious. These two types of obfuscations were previously spotted being used together in samples\r\nattributed to the Chinese-speaking group Stone Panda (APT10) and Mustang Panda.\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 7 of 34\n\nFigure 8: Opaque predicate and control flow flattening code obfuscations in the SPINNER sample.\r\nWhen the SPINNER backdoor starts to run, it creates a mutex called MSR__112 to ensure there is only one\r\ninstance of the payload running at a time. The payload also expands the persistence previously created by the\r\nloader. It creates a new registry key OfficeInit under SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\r\nthat points to the cmdl32.exe path.\r\nNext, it sets up its own configuration, which contains the following fields:\r\nPlain text\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 8 of 34\n\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nstruct malware_config {\r\nstd::string full_c2_url;\r\nstd::string host_name;\r\nstd::string c2_uri;\r\nDWORD use_https;\r\nDWORD port;\r\nDWORD sleep_time;\r\n}\r\nstruct malware_config { std::string full_c2_url; std::string host_name; std::string c2_uri; DWORD use_https;\r\nDWORD port; DWORD sleep_time; }\r\nstruct malware_config {\r\n std::string full_c2_url;\r\n std::string host_name;\r\n std::string c2_uri;\r\n DWORD use_https;\r\n DWORD port;\r\n DWORD sleep_time;\r\n}\r\nThe full_c2_url is decrypted using XOR decryption with the key 0x50 . After decryption, the function\r\nInternetCrackUrlA is used to crack a URL into its component parts: the c2_url_without_scheme , c2_uri ,\r\nport and use_https fields .\r\nNext, the backdoor starts its main loop by checking if it’s the first run and therefore system fingerprinting has not\r\nyet occurred. If the answer is no, the backdoor creates a random 16-byte Bot ID and saves it to the file\r\n%TEMP%\\\\OfficeInit\\\\init.ini . It then collects data about the infected system and creates a string containing\r\nthe following data:\r\nBot ID\r\nComputer name\r\nLocal IP\r\nWindows version\r\nUsername\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 9 of 34\n\nSleep time retrieved from the malware config\r\nProcess ID\r\nNULL appended at the end of the string\r\nWhen it has the string containing all the gathered data, the backdoor prepares a packet to be sent to the C\u0026C\r\nserver, constructed in the following way:\r\n Offset  Field\r\n 0x0  16 null bytes\r\n 0x10  4-byte command ID – 0x10010001\r\n 0x14  4 null bytes\r\n 0x18  System information string length\r\n 0x1C  System information string\r\nNext, the backdoor generates a random 8-byte RC4 key that is used to encrypt the entire packet. The final packet\r\nhas this structure:\r\n Offset  Field\r\n 0x0  8-byte randomly generated RC4 key\r\n 0x8  Packet data size\r\n 0xC  Packet data\r\nThe packet is sent through the HTTP/S depending on the URL retrieved from the malware configuration. Similar\r\nto the request, the response from the C\u0026C server is encrypted with RC4 and has the same structure containing the\r\nkey, size, and data. The C\u0026C response can contain one of the following commands:\r\n Command\r\nID\r\n Action\r\n 0x10030001  Exit Process\r\n 0x10010002\r\n Self-update – Write data to the INIT file and create another instance of the cmdl32.exe\r\nusing CreateProcessW .\r\n 0x10010001  Collect system information and send the data back to the C\u0026C\r\nJudging by the supported commands, this version of the SPINNER backdoor has only basic capabilities to\r\nenumerate the host system. Its main purpose is to run additional payloads received from the C\u0026C server. While\r\nwe were not able to get other payloads, based on other findings described later in the research, we believe that\r\nselected victims likely received the full backdoor with additional capabilities.\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 10 of 34\n\nPrevious campaign\r\nWhile searching VirusTotal for files similar to the loader, we encountered an additional cluster which also utilizes\r\nDLL sideloading to launch an in-memory loader that is very similar to the one we discussed previously. It then\r\nloads a payload that could be an earlier variant of the SPINNER backdoor. Judging by the names of the files and\r\ncompilation stamps of the executables, the campaign has been active since June 2021.\r\nUnlike the current campaign, which uses Microsoft Word documents as a dropper, the previous wave of attacks\r\nrelied on executables bearing the Microsoft Word logo. This suggests these droppers were intended to be delivered\r\nto the victims by the same means as the malicious documents, via spear-phishing emails, either as attachments or\r\nlinks to fake sites.\r\nThe Dropper\r\nThe dropper is a 64-bit executable that has a simpler flow than the previously discussed malicious document:\r\nFigure 9: The Infection chain of the campaign starts with the executable dropper.\r\nFirst, it extracts the following files from resources: rekeywiz.exe , UnityPlayer.dll and PIN , and drops them\r\ninto the working folder C:\\\\Users\\\\Public\\\\PublicPIN . The file rekeywiz.exe masquerades as a legitimate\r\nWindows executable EFS REKEY Wizard, but in fact, is a Steam gaming platform interactive wallpaper called\r\nSheep. Sheep is a digitally signed Unity-based application for Steam Wallpaper Engine. Therefore, it can\r\nevasively side-load the malicious loader that imitates Unity dll which in turn loads, decrypts and executes the\r\nshellcode from the PIN file.\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 11 of 34\n\nThe dropper also decrypts from the resources, drops a decoy Word document to %USER%\\\\Documents\\\\offic\\\\\r\n(the typo is on the actor) and opens it for the victim. All the decoy documents we observed in different droppers\r\nused Russian government-related themes, such as the Decrees of the President of the Russian Federation, with\r\ndocuments’ names and content in Russian. It can be assumed that the campaign is also targeting entities in or\r\nrelated to Russia.\r\nFigure 10: A fragment of the decoy document launched by the dropper.\r\nFor persistence, the dropper creates a scheduled task called InterSys that points to rekeywiz.exe . The code\r\nhandling this is very similar to the “persistence and cleanup” function from the loader we described earlier:\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 12 of 34\n\nFigure 11: Persistence set up by the dropper.\r\nThe Loader\r\nThe older versions of the loader contain debugging information and feature an interesting PDB path:\r\nC:\\\\D\\\\StageS\\\\Release\\\\HackDll2.pdb .\r\nAs the infection chain is simpler, when it is side-loaded by rekeywiz.exe , the loader only handles the\r\nPROCESS_ATTACH event. The payload decryption code for the loader is similar to the one we described, and it\r\nperforms the same steps as the new loader: XOR decryption for the first layer encryption, RC4 decryption for the\r\nsecond layer, and injection to a newly created msiexec.exe .\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 13 of 34\n\nFigure 12: UnityPlayer.dll XORing bytes from the PIN file (with the keys 0x29, 0x92) vs cmpbk32.dll XORing\r\nbytes from the INIT file (with the keys 0x29, 0x92)\r\nFinal payload – full SPINNER backdoor\r\nMany of the functions inside the final payload share similar logic with the SPINNER variant described above, but\r\nthe payload lacks the compiler-level obfuscations observed in the newer campaign making it easier to analyze.\r\nFurthermore, the previous version of the backdoor contains additional features. This is another indication that the\r\ninitial SPINNER backdoor version we observed is only a part of the bigger payload. It’s likely the actors\r\neventually split the payload and only equipped the first stage of the main backdoor with essential functions:\r\nenumeration of the victim’s machine and execution of the next stage payloads received from the C\u0026C server.\r\nThe full version of the SPINNER backdoor contains the following capabilities:\r\nCollects information about the infected machine (enumerate disks, files).\r\nExfiltrates files from the infected machine and manipulates the local files.\r\nRuns OS commands and executes downloaded payload, as part of typical backdoor capabilities.\r\nBelow is the full list of supported commands:\r\n Command\r\nID\r\nCommand Description Arguments Output\r\n 0x10040001 Enumerate disk drives None\r\nLogical drive strings and their drive\r\ntypes.\r\n 0x10040002 Enumerate files in a\r\ndirectory\r\nDirectory Name For every file in the specified\r\ndirectory: Filename, 0/1 (directory or\r\nnot), file size, last_write_time. Output\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 14 of 34\n\nformat: “ %s\\t%s\\t%lld\\t%d.%d.%d\r\n%d:%d:%d ”\r\n 0x10040003 Create directory Directory Name Return value\r\n 0x10040004 Rename file\r\nOriginal File\r\nName and New\r\nFile Name\r\n(separated by ‘\\t’)\r\nReturn value\r\n 0x10040005 Delete file File Name Return value\r\n 0x10040006 Copy file\r\nOriginal File\r\nName and New\r\nFile Name\r\n(separated by ‘\\t’)\r\nReturn value\r\n0x10040007 Move file\r\nOriginal File\r\nName and New\r\nFile Name\r\n(separated by ‘\\t’)\r\nReturn value\r\n 0x10040008\r\nReads file data (Max File\r\nSize = 0xA00000)\r\nFile Name File content\r\n 0x10040009 Write to file\r\nA struct that\r\ncontains: File\r\nName, File Name\r\nSize, Content To\r\nWrite, Content\r\nSize\r\nReturn value\r\n 0x10050001\r\nRun command using\r\ncmd.exe\r\ncmd line Output from Command Line\r\n 0x10010001\r\nSend User Info (same as\r\nthe first message to C\u0026C)\r\nNone\r\nBot ID (saved to and retrieved from\r\nversion.dll file), Computer Name, Host\r\nInfo, x86/x64, User Name, Sleep Time,\r\nProcess ID\r\n 0x10000002 Update Sleep time New Sleep Time Return value\r\n 0x10000003 Do nothing\r\n 0x10030001 Self-delete and exit process\r\n(create and run a file\r\nnamed a.bat with the\r\nNone None\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 15 of 34\n\ncontent “ ping 127.0.0.1\r\n\u0026\u0026del /q *\\r\\n ”). Also,\r\ndelete persistence from the\r\nRun Registry Key.\r\nThe communication protocol between the SPINNER backdoor and the C\u0026C server didn’t change from one\r\nversion to the next.\r\nCampaign TTPs evolution\r\nIn less than a year, the actors significantly improved the infection chain and made it more complex. All the\r\nfunctionality from the old campaign was preserved, but it was split between multiple components making it harder\r\nto analyze or detect each stage. Here are some examples of the split components:\r\nThe EXE dropper functionality is split between a malicious document and the loader. It’s a reasonable\r\nadjustment as an executable. Even one that masquerades as a document might raise a lot more suspicion\r\nthan a carefully crafted document.\r\nAdding more functionality to the DLL loader. Interestingly, the actors chose not to add more exported\r\nfunctions to the DLL, but to handle different call reasons in DllMain, making some parts of malicious code\r\nrun stealthy in the background when the document is closed.\r\nAlthough the loader contains some anti-analysis and evasion techniques, such as the use of shellcode and\r\ndynamic API resolving using hashed, in the latest campaign the actors added significant improvements by\r\nsupplementing complex compiler-level obfuscations to the SPINNER backdoor.\r\nIn addition to the complex obfuscations, the SPINNER backdoor was reduced to only basic functionality.\r\nThis was likely done to increase the malware’s stealth and evasion.\r\nAttribution\r\nSPINNER backdoor\r\nAs with any unknown malware sample, the SPINNER loader and backdoor analysis required CPR to determine\r\nwhether it was a known malware sample or an entirely new malware family. At first glance, the payload looked\r\nsimilar to the PlugX/Hodur malware described by ESET in a recently published report on Chinese APT Mustang\r\nPanda. The first similarity is in the ID numbering of C\u0026C commands: both malware use 2 bytes to specify the\r\ncommand category and 2 bytes for a specific command from this category. For example, the command\r\n0x10010001 is used in the SPINNER variant to send the system information data, while Hodur malware uses the\r\ncommand group 0x1001 and command ID 0x1001 for the same action.\r\nIn addition, some of the commands themselves overlap between the samples, such as those that list the logical\r\ndrives, get detailed information about the files in a directory, or execute commands using cmd.exe. These\r\nfunctionalities are not unique and can usually be found in many backdoors. In this case, the two malware share an\r\neven greater and more surprising similarity. After opening the Hodur PlugX variant in the disassembler, it became\r\napparent that Hodur — like SPINNER — was heavily obfuscated using Control Flow Flattening (CFF). However,\r\nHodur’s CFF is different from SPINNER’s. Hodur’s CFF relies on a dispatcher that uses a certain register to\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 16 of 34\n\ndecide which code block to jump to next, while in SPINNER the register is used as-is without any manipulation.\r\nIn the PlugX variant, additional arithmetic operations are used on the register before it is checked by the\r\ndispatcher. To complete the obfuscation comparison, Hodur heavily obfuscates its API calls and strings, a step\r\nwhich is absent in SPINNER.\r\nFigure 13: Control flow flattening used in SPINNER variant (on the left) vs control flow flattening with arithmetic\r\noperations on the CFF register used in the Hodur variant (on the right).\r\nIn terms of implementation, the malware samples are entirely different. Hodur is a multithreaded Windows\r\nDesktop application and communicates with the C\u0026C through multiple threads, each with its own purpose, while\r\nSPINNER is a single-threaded Console application. Hodur’s enumeration method is more extensive than\r\nSPINNER’s, but it does not use Bot ID which identifies a specific infected machine. The self-delete function in\r\nHodur might be similar in its logic to SPINNER, but it uses a completely different set of commands to delete itself\r\nand its associated files. Hodur’s communication logic with the C\u0026C is more complex, drawn from different parts\r\nof the code and from multiple threads, while SPINNER has only has one function that handles the commands.\r\nWhile the differences indicate these malware belong to different families, they share “best practices” similarities.\r\nHere are some examples of their similarities:\r\nBoth use WS2_32 functions to retrieve the local computer IPv4 address\r\nThey show interest in enumeration files in certain directories by looking for specific data such as the last\r\naccess time\r\nBoth enumerate the disk drives, searching thumb drives for interesting data\r\nThey execute commands from the C\u0026C through cmd.exe using a pipe, etc.\r\nIt can be argued that those are just common techniques used by all backdoors, but it is not unlikely that these tools\r\nmight have the same upstream source and therefore share many best practices and methods.\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 17 of 34\n\nChinese-based activity\r\nThe Tactics, Techniques, and Procedures (TTPs) of this operation enabled us to attribute it to Chinese APT\r\nactivity. In general, Chinese groups are known to reuse and share tools between them. Without enough strong\r\nevidence, such as infrastructure-based connections, we couldn’t directly attribute this activity with high\r\nconfidence to any specific Chinese threat actor. However, the Twisted Panda campaign bears multiple overlaps\r\nwith advanced and long-standing Chinese cyberespionage actors:\r\nThe control-flow obfuscations observed in SPINNER were previously used by the Chinese group APT10\r\nand reappeared in a recent Mustang Panda espionage campaign:\r\nFigure 14: Control-flow obfuscations in MustangPanda sample (698d1ade6defa07fb4e4c12a19ca309957fb9c40).\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 18 of 34\n\nAPT group Mustang Panda was observed exploiting the invasion of Ukraine to target Russian entities\r\naround the same time as Twisted Panda.\r\nThe infection flow relying on DLL side-loading is a favorite evasion technique used by multiple Chinese\r\nactors. Examples include the infamous PlugX malware (and its multiple variants, including the\r\naforementioned Mustang Panda’ Hodur samples), the recently published APT10 global espionage\r\ncampaign that used the VLC player for side-loading, and other APT10 campaigns.\r\nIn addition to the similarities between SPINNER and Hodur that we previously mentioned, other practices\r\nlike multi-layer in-memory loaders based on shellcodes and PEs, especially combined with dynamic API\r\nresolutions via hashes, are also a signature technique for many Chinese groups.\r\nThe victimology of the Twisted Panda campaign is consistent with Chinese long-term interests.\r\nTargets\r\nThe defense research institutes that we identified as targets of this attack belong to a holding company within the\r\nRussian state-owned defense conglomerate Rostec Corporation. It is Russia’s largest holding company in the\r\nradio-electronics industry and the specific targeted research institutes’ primary focus is the development and\r\nmanufacturing of electronic warfare systems, military-specialized onboard radio-electronic equipment, air-based\r\nradar stations and means of state identification. The research entities are also involved in avionics systems for civil\r\naviation, the development of a variety of civil products such as medical equipment and control systems for energy,\r\ntransportation, and engineering industries.\r\nThe Made in China 2025 plan defines objectives for China to become a major technological and economic power,\r\nand also identifies the sectors in which it must become a world leader, including robotics, medical equipment, and\r\naviation. To support that, China’s five-year plan for the years 2021-2025 outlines a steady increase in R\u0026D\r\nbudgets each year in order to expand China’s scientific and technical capabilities. However, multiple reports – not\r\nfrom the United States and other countries including Russia, which is considered China’s strategic partner – reveal\r\nthat alongside overt relations and measures, China employs covert tools to gather information, thus combining\r\npartnerships with diverse espionage activity. Together with the previous reports of Chinese APT groups\r\nconducting their espionage operations against the Russian defense and governmental sector, the Twisted Panda\r\ncampaign described in this research might serve as more evidence of the use of espionage in a systematic and\r\nlong-term effort to achieve Chinese strategic objectives in technological superiority and military power.\r\nSummary\r\nIn this report, CPR researchers have described and exposed a Chinese espionage operation named Twisted Panda\r\nwhich targets defense research institutes in Russia and possibly also in Belarus. This campaign relies on social\r\nengineering techniques and exploits recently imposed sanctions on Russia to deliver a previously undocumented\r\nbackdoor called SPINNER to specific targets. The purpose of the backdoor and the operation is likely to collect\r\ninformation from targets inside the high-tech Russian defense industry to support China in its technological\r\nadvancement.\r\nAs a part of this investigation, we uncovered the previous wave of this campaign, also likely targeting Russian or\r\nRussia-related entities, active since at least June 2021. The evolution of the tools and techniques throughout this\r\ntime period indicates that the actors behind the campaign are persistent in achieving their goals in a stealthy\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 19 of 34\n\nmanner. In addition, the Twisted Panda campaign shows once again how quickly Chinese espionage actors adapt\r\nand adjust to world events, using the most relevant and up-to-date lures to maximize their chances of success.\r\nTo help track and research the Twisted Panda campaign, see Appendix A for relevant Yara rules for all the major\r\ncomponents of this attack.\r\nIOCs\r\n d723c18baea565c9263dca0eb3a11904 email\r\n 027845550d7a0da404f0f331178cb28b docx\r\n 1f9a72dc91759cd06a0f05ac4486dda1 docx\r\n d95bbe8a97d864dc40c9cf845aeb4e9e docx\r\n ce02ee477e1188f0664dd65b17e83d11 template\r\n 3855dc19811715e15d9775a42b1a6c55 template\r\n 7dd4c80acc4dca33af0d26477efe2002 template\r\n 90e6878ebfb3e962523f03f9d411b35c loader (64-bit)\r\n 7a371437e98c546c6649713703134727 loader (32-bit)\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 20 of 34\n\nwww.miniboxmail[.]com\r\n www.minzdravros[.]com\r\n www.microtreely[.]com\r\nOld campaign:\r\n 312dcd11c146323876079f55ca371c84 dropper\r\n 443c66275e2802c00afe2cf16f147737 dropper\r\n fd73eeead785470f79536e9eb2eb6ef2 dropper\r\n 176d7239887a9d0dd24e2cce904277bc loader\r\n daa1da9b515a32032bc621e71d4ae4ca loader\r\n e3072cc3f99dd3a32801e523086d9bb1 loader\r\n 06865195c326ff587b2c0bed16021d08 loader\r\n 176d7239887a9d0dd24e2cce904277bc loader\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 21 of 34\n\n25f3da186447794de5af2fa3ff3bcf23 loader\r\n 6d4bf8dd4864f9ac564d3c9661b99190 loader\r\n img.elliotterusties[.]com\r\nAppendix A – YARA rules\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nrule apt_CN_TwistedPanda_loader {\r\nmeta:\r\nauthor = \"Check Point Research\"\r\ndescription = \"Detect loader used by TwistedPanda\"\r\ndate = \"2022-04-14\"\r\nhash = \"5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0\"\r\nhash = \"efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198\"\r\nstrings:\r\n// 6A 40 push 40h ; '@'\r\n// 68 00 30 00 00 push 3000h\r\n$seq1 = { 6A 40 68 00 30 00 00 }\r\n// 6A 00 push 0 ; lpOverlapped\r\n// 50 push eax ; lpNumberOfBytesRead\r\n// 6A 14 push 14h ; nNumberOfBytesToRead\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 22 of 34\n\n// 8D ?? ?? ?? ?? ?? lea eax, [ebp+Buffer]\r\n// 50 push eax ; lpBuffer\r\n// 53 push ebx ; hFile\r\n// FF 15 04 D0 4C 70 call ds:ReadFile\r\n$seq2 = { 6A 00 50 6A 14 8D ?? ?? ?? ?? ?? 50 53 FF }\r\n// 6A 00 push 0\r\n// 6A 00 push 0\r\n// 6A 03 push 3\r\n// 6A 00 push 0\r\n// 6A 03 push 3\r\n// 68 00 00 00 80 push 80000000h\r\n$seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 }\r\n// Decryption sequence\r\n$decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? }\r\ncondition:\r\n// MZ signature at offset 0 and ...\r\nuint16(0) == 0x5A4D and\r\n// ... PE signature at offset stored in MZ header at 0x3C\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize \u003c 3000KB and all of ($seq*) and $decryption\r\n}\r\nrule apt_CN_TwistedPanda_SPINNER_1 {\r\nmeta:\r\nauthor = \"Check Point Research\"\r\ndescription = \"Detect the obfuscated variant of SPINNER payload used by TwistedPanda\"\r\ndate = \"2022-04-14\"\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 23 of 34\n\nhash = \"a9fb7bb40de8508606a318866e0e5ff79b98f314e782f26c7044622939dfde81\"\r\nstrings:\r\n// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??\r\n// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??\r\n// C6 mov byte ptr [eax], 0\r\n$config_init = { C7 ?? ?? ?? 00 00 00 C7 ?? ?? ?? 00 00 00 C6 }\r\n$c2_cmd_1 = { 01 00 03 10}\r\n$c2_cmd_2 = { 02 00 01 10}\r\n$c2_cmd_3 = { 01 00 01 10}\r\n// 8D 83 ?? ?? ?? ?? lea eax, xor_key[ebx]\r\n// 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h\r\n// 89 F1 mov ecx, esi ; this\r\n// 6A 01 push 1 ; Size\r\n// 50 push eax ; Src\r\n// E8 ?? ?? ?? ?? call str_append\r\n// 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h\r\n$decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8 [4] 80 B3 }\r\ncondition:\r\n// MZ signature at offset 0 and ...\r\nuint16(0) == 0x5A4D and\r\n// ... PE signature at offset stored in MZ header at 0x3C\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize \u003c 3000KB and #config_init \u003e 10 and 2 of ($c2_cmd_*) and $decryption\r\n}\r\nrule apt_CN_TwistedPanda_SPINNER_2 {\r\nmeta:\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 24 of 34\n\nauthor = \"Check Point Research\"\r\ndescription = \"Detect an older variant of SPINNER payload used by TwistedPanda\"\r\ndate = \"2022-04-14\"\r\nhash = \"28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8\"\r\nstrings:\r\n// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??\r\n// C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??\r\n// C6 mov byte ptr [eax], 0\r\n$config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 }\r\n$c2_cmd_1 = { 01 00 03 10 }\r\n$c2_cmd_2 = { 02 00 01 10 }\r\n$c2_cmd_3 = { 01 00 01 10 }\r\n$c2_cmd_4 = { 01 00 00 10 }\r\n$c2_cmd_5 = { 02 00 00 10 }\r\n// 80 B3 ?? ?? ?? ?? ?? xor ds:dd_encrypted_url[ebx], 50h\r\n// 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx]\r\n// 8B 56 14 mov edx, [esi+14h]\r\n// 8B C2 mov eax, edx\r\n// 8B 4E 10 mov ecx, [esi+10h]\r\n// 2B C1 sub eax, ecx\r\n// 83 F8 01 cmp eax, 1\r\n$decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 }\r\ncondition:\r\n// MZ signature at offset 0 and ...\r\nuint16(0) == 0x5A4D and\r\n// ... PE signature at offset stored in MZ header at 0x3C\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 25 of 34\n\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize \u003c 3000KB and #config_init \u003e 10 and 2 of ($c2_cmd_*) and $decryption\r\n}\r\nrule apt_CN_TwistedPanda_64bit_Loader {\r\nmeta:\r\nauthor = \"Check Point Research\"\r\ndescription = \"Detect the 64bit Loader DLL used by TwistedPanda\"\r\ndate = \"2022-04-14\"\r\nhash = \"e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f\"\r\nstrings:\r\n// 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2]\r\n// 48 8B C1 mov rax, rcx\r\n// 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h\r\n// 72 ?? jb short loc_7FFDF0BA1B48\r\n$path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 }\r\n// 48 8B D0 mov rdx, rax ; lpBuffer\r\n// 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead\r\n// 48 8B CF mov rcx, rdi ; hFile\r\n// 48 8B D8 mov rbx, rax\r\n// FF ?? ?? ?? ?? call cs:ReadFile\r\n$shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF}\r\n// BA F0 16 00 00 mov edx, 16F0h ; dwSize\r\n// 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect\r\n// 33 C9 xor ecx, ecx ; lpAddress\r\n// 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType\r\n// FF ?? ?? ?? ?? ?? call cs:VirtualAlloc\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 26 of 34\n\n$shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF }\r\ncondition:\r\n// MZ signature at offset 0 and ...\r\nuint16(0) == 0x5A4D and\r\n// ... PE signature at offset stored in MZ header at 0x3C\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize \u003c 3000KB and $path_check and $shellcode_allocate and $shellcode_read\r\n}\r\nrule apt_CN_TwistedPanda_droppers {\r\nmeta:\r\nauthor = \"Check Point Research\"\r\ndescription = \"Detect droppers used by TwistedPanda\"\r\ndate = \"2022-04-14\"\r\nhash = \"59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291\"\r\nhash = \"8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248\"\r\nhash = \"f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66\"\r\nstrings:\r\n// 81 FA ?? ?? ?? ?? cmp edx, 4BED1896h\r\n// 75 ?? jnz short loc_140001829\r\n// E8 ?? ?? ?? ?? call sub_1400019D0\r\n// 48 89 05 ?? ?? ?? ?? mov cs:qword_14001ED38, rax\r\n// E? ?? ?? ?? ?? jmp loc_1400018DD\r\n$switch_control = { 81 FA [4] 75 ?? E8 [4] 48 89 05 [4] E? }\r\n// 41 0F ?? ?? movsx edx, byte ptr [r9]\r\n// 44 ?? ?? or r8d, edx\r\n// 41 ?? ?? 03 rol r8d, 3\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 27 of 34\n\n// 41 81 ?? ?? ?? ?? ?? xor r8d, 0EF112233h\r\n// 41 ?? ?? mov eax, r10d\r\n$byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41 81 [5] 41 }\r\n// %public%\r\n$stack_strings_1 = { 25 00 70 00 }\r\n$stack_strings_2 = { 75 00 62 00 }\r\n$stack_strings_3 = { 6C 00 69 00 }\r\n$stack_strings_4 = { 63 00 25 00 }\r\ncondition:\r\n// MZ signature at offset 0 and ...\r\nuint16(0) == 0x5A4D and\r\n// ... PE signature at offset stored in MZ header at 0x3C\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize \u003c 3000KB and #switch_control \u003e 8 and all of ($stack_strings_*) and $byte_manipulation\r\n}\r\nrule apt_CN_TwistedPanda_loader { meta: author = \"Check Point Research\" description = \"Detect loader used by\r\nTwistedPanda\" date = \"2022-04-14\" hash =\r\n\"5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0\" hash =\r\n\"efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198\" strings: // 6A 40 push 40h ; '@' //\r\n68 00 30 00 00 push 3000h $seq1 = { 6A 40 68 00 30 00 00 } // 6A 00 push 0 ; lpOverlapped // 50 push eax ;\r\nlpNumberOfBytesRead // 6A 14 push 14h ; nNumberOfBytesToRead // 8D ?? ?? ?? ?? ?? lea eax, [ebp+Buffer] //\r\n50 push eax ; lpBuffer // 53 push ebx ; hFile // FF 15 04 D0 4C 70 call ds:ReadFile $seq2 = { 6A 00 50 6A 14 8D\r\n?? ?? ?? ?? ?? 50 53 FF } // 6A 00 push 0 // 6A 00 push 0 // 6A 03 push 3 // 6A 00 push 0 // 6A 03 push 3 // 68 00\r\n00 00 80 push 80000000h $seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 } // Decryption sequence\r\n$decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? } condition: // MZ signature at offset 0 and ...\r\nuint16(0) == 0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C uint32(uint32(0x3C)) ==\r\n0x00004550 and filesize \u003c 3000KB and all of ($seq*) and $decryption } rule\r\napt_CN_TwistedPanda_SPINNER_1 { meta: author = \"Check Point Research\" description = \"Detect the\r\nobfuscated variant of SPINNER payload used by TwistedPanda\" date = \"2022-04-14\" hash =\r\n\"a9fb7bb40de8508606a318866e0e5ff79b98f314e782f26c7044622939dfde81\" strings: // C7 ?? ?? ?? 00 00 00\r\nmov dword ptr [eax+??], ?? // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? // C6 mov byte ptr [eax], 0\r\n$config_init = { C7 ?? ?? ?? 00 00 00 C7 ?? ?? ?? 00 00 00 C6 } $c2_cmd_1 = { 01 00 03 10} $c2_cmd_2 = { 02\r\n00 01 10} $c2_cmd_3 = { 01 00 01 10} // 8D 83 ?? ?? ?? ?? lea eax, xor_key[ebx] // 80 B3 ?? ?? ?? ?? ?? xor\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 28 of 34\n\nxor_key[ebx], 50h // 89 F1 mov ecx, esi ; this // 6A 01 push 1 ; Size // 50 push eax ; Src // E8 ?? ?? ?? ?? call\r\nstr_append // 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h $decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8\r\n[4] 80 B3 } condition: // MZ signature at offset 0 and ... uint16(0) == 0x5A4D and // ... PE signature at offset\r\nstored in MZ header at 0x3C uint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 3000KB and #config_init \u003e 10\r\nand 2 of ($c2_cmd_*) and $decryption } rule apt_CN_TwistedPanda_SPINNER_2 { meta: author = \"Check Point\r\nResearch\" description = \"Detect an older variant of SPINNER payload used by TwistedPanda\" date = \"2022-04-\r\n14\" hash = \"28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8\" strings: // C7 ?? ?? ??\r\n00 00 00 mov dword ptr [eax+??], ?? // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? // C6 mov byte ptr [eax],\r\n0 $config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 } $c2_cmd_1 = { 01 00 03 10 } $c2_cmd_2 = { 02 00 01\r\n10 } $c2_cmd_3 = { 01 00 01 10 } $c2_cmd_4 = { 01 00 00 10 } $c2_cmd_5 = { 02 00 00 10 } // 80 B3 ?? ?? ??\r\n?? ?? xor ds:dd_encrypted_url[ebx], 50h // 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx] // 8B 56 14 mov edx,\r\n[esi+14h] // 8B C2 mov eax, edx // 8B 4E 10 mov ecx, [esi+10h] // 2B C1 sub eax, ecx // 83 F8 01 cmp eax, 1\r\n$decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 } condition: // MZ signature at\r\noffset 0 and ... uint16(0) == 0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C\r\nuint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 3000KB and #config_init \u003e 10 and 2 of ($c2_cmd_*) and\r\n$decryption } rule apt_CN_TwistedPanda_64bit_Loader { meta: author = \"Check Point Research\" description =\r\n\"Detect the 64bit Loader DLL used by TwistedPanda\" date = \"2022-04-14\" hash =\r\n\"e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f\" strings: // 48 8D ?? ?? ?? ?? ?? ??\r\n?? lea rdx, ds:2[rdx*2] // 48 8B C1 mov rax, rcx // 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h // 72 ?? jb short\r\nloc_7FFDF0BA1B48 $path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 } // 48 8B D0 mov rdx, rax ; lpBuffer // 41\r\nB8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead // 48 8B CF mov rcx, rdi ; hFile // 48 8B D8 mov rbx,\r\nrax // FF ?? ?? ?? ?? call cs:ReadFile $shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF} //\r\nBA F0 16 00 00 mov edx, 16F0h ; dwSize // 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect // 33 C9 xor ecx, ecx ;\r\nlpAddress // 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType // FF ?? ?? ?? ?? ?? call cs:VirtualAlloc\r\n$shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF } condition: // MZ signature at\r\noffset 0 and ... uint16(0) == 0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C\r\nuint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 3000KB and $path_check and $shellcode_allocate and\r\n$shellcode_read } rule apt_CN_TwistedPanda_droppers { meta: author = \"Check Point Research\" description =\r\n\"Detect droppers used by TwistedPanda\" date = \"2022-04-14\" hash =\r\n\"59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291\" hash =\r\n\"8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248\" hash =\r\n\"f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66\" strings: // 81 FA ?? ?? ?? ?? cmp\r\nedx, 4BED1896h // 75 ?? jnz short loc_140001829 // E8 ?? ?? ?? ?? call sub_1400019D0 // 48 89 05 ?? ?? ?? ??\r\nmov cs:qword_14001ED38, rax // E? ?? ?? ?? ?? jmp loc_1400018DD $switch_control = { 81 FA [4] 75 ?? E8 [4]\r\n48 89 05 [4] E? } // 41 0F ?? ?? movsx edx, byte ptr [r9] // 44 ?? ?? or r8d, edx // 41 ?? ?? 03 rol r8d, 3 // 41 81 ??\r\n?? ?? ?? ?? xor r8d, 0EF112233h // 41 ?? ?? mov eax, r10d $byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41\r\n81 [5] 41 } // %public% $stack_strings_1 = { 25 00 70 00 } $stack_strings_2 = { 75 00 62 00 } $stack_strings_3 =\r\n{ 6C 00 69 00 } $stack_strings_4 = { 63 00 25 00 } condition: // MZ signature at offset 0 and ... uint16(0) ==\r\n0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C uint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize \u003c 3000KB and #switch_control \u003e 8 and all of ($stack_strings_*) and $byte_manipulation }\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 29 of 34\n\nrule apt_CN_TwistedPanda_loader {\r\n meta:\r\n author = \"Check Point Research\"\r\n description = \"Detect loader used by TwistedPanda\"\r\n date = \"2022-04-14\"\r\n hash = \"5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0\"\r\n hash = \"efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198\"\r\n \r\n strings:\r\n \r\n // 6A 40 push 40h ; '@'\r\n // 68 00 30 00 00 push 3000h\r\n $seq1 = { 6A 40 68 00 30 00 00 }\r\n \r\n // 6A 00 push 0 ; lpOverlapped\r\n // 50 push eax ; lpNumberOfBytesRead\r\n // 6A 14 push 14h ; nNumberOfBytesToRead\r\n // 8D ?? ?? ?? ?? ?? lea eax, [ebp+Buffer]\r\n // 50 push eax ; lpBuffer\r\n // 53 push ebx ; hFile\r\n // FF 15 04 D0 4C 70 call ds:ReadFile\r\n $seq2 = { 6A 00 50 6A 14 8D ?? ?? ?? ?? ?? 50 53 FF }\r\n // 6A 00 push 0\r\n // 6A 00 push 0\r\n // 6A 03 push 3\r\n // 6A 00 push 0\r\n // 6A 03 push 3\r\n // 68 00 00 00 80 push 80000000h\r\n $seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 }\r\n \r\n // Decryption sequence\r\n $decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? }\r\n \r\n condition:\r\n // MZ signature at offset 0 and ...\r\n uint16(0) == 0x5A4D and\r\n \r\n // ... PE signature at offset stored in MZ header at 0x3C\r\n uint32(uint32(0x3C)) == 0x00004550 and\r\n filesize \u003c 3000KB and all of ($seq*) and $decryption\r\n}\r\nrule apt_CN_TwistedPanda_SPINNER_1 {\r\n meta:\r\n author = \"Check Point Research\"\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 30 of 34\n\ndescription = \"Detect the obfuscated variant of SPINNER payload used by TwistedPanda\"\r\n date = \"2022-04-14\"\r\n hash = \"a9fb7bb40de8508606a318866e0e5ff79b98f314e782f26c7044622939dfde81\"\r\n \r\n strings:\r\n // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??\r\n // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??\r\n // C6 mov byte ptr [eax], 0\r\n $config_init = { C7 ?? ?? ?? 00 00 00 C7 ?? ?? ?? 00 00 00 C6 }\r\n $c2_cmd_1 = { 01 00 03 10}\r\n $c2_cmd_2 = { 02 00 01 10}\r\n $c2_cmd_3 = { 01 00 01 10}\r\n // 8D 83 ?? ?? ?? ?? lea eax, xor_key[ebx]\r\n // 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h\r\n // 89 F1 mov ecx, esi ; this\r\n // 6A 01 push 1 ; Size\r\n // 50 push eax ; Src\r\n // E8 ?? ?? ?? ?? call str_append\r\n // 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h\r\n $decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8 [4] 80 B3 }\r\n \r\n condition:\r\n // MZ signature at offset 0 and ...\r\n uint16(0) == 0x5A4D and\r\n \r\n // ... PE signature at offset stored in MZ header at 0x3C\r\n uint32(uint32(0x3C)) == 0x00004550 and\r\n filesize \u003c 3000KB and #config_init \u003e 10 and 2 of ($c2_cmd_*) and $decryption\r\n}\r\nrule apt_CN_TwistedPanda_SPINNER_2 {\r\n meta:\r\n author = \"Check Point Research\"\r\n description = \"Detect an older variant of SPINNER payload used by TwistedPanda\"\r\n date = \"2022-04-14\"\r\n hash = \"28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8\"\r\n \r\n strings:\r\n // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??\r\n // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ??\r\n // C6 mov byte ptr [eax], 0\r\n $config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 }\r\n $c2_cmd_1 = { 01 00 03 10 }\r\n $c2_cmd_2 = { 02 00 01 10 }\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 31 of 34\n\n$c2_cmd_3 = { 01 00 01 10 }\r\n $c2_cmd_4 = { 01 00 00 10 }\r\n $c2_cmd_5 = { 02 00 00 10 }\r\n // 80 B3 ?? ?? ?? ?? ?? xor ds:dd_encrypted_url[ebx], 50h\r\n // 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx]\r\n // 8B 56 14 mov edx, [esi+14h]\r\n // 8B C2 mov eax, edx\r\n // 8B 4E 10 mov ecx, [esi+10h]\r\n // 2B C1 sub eax, ecx\r\n // 83 F8 01 cmp eax, 1\r\n $decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 }\r\n \r\n condition:\r\n // MZ signature at offset 0 and ...\r\n uint16(0) == 0x5A4D and\r\n \r\n // ... PE signature at offset stored in MZ header at 0x3C\r\n uint32(uint32(0x3C)) == 0x00004550 and\r\n filesize \u003c 3000KB and #config_init \u003e 10 and 2 of ($c2_cmd_*) and $decryption\r\n}\r\nrule apt_CN_TwistedPanda_64bit_Loader {\r\n meta:\r\n author = \"Check Point Research\"\r\n description = \"Detect the 64bit Loader DLL used by TwistedPanda\"\r\n date = \"2022-04-14\"\r\n hash = \"e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f\"\r\n \r\n strings:\r\n // 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2]\r\n // 48 8B C1 mov rax, rcx\r\n // 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h\r\n // 72 ?? jb short loc_7FFDF0BA1B48\r\n $path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 }\r\n // 48 8B D0 mov rdx, rax ; lpBuffer\r\n // 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead\r\n // 48 8B CF mov rcx, rdi ; hFile\r\n // 48 8B D8 mov rbx, rax\r\n // FF ?? ?? ?? ?? call cs:ReadFile\r\n $shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF}\r\n // BA F0 16 00 00 mov edx, 16F0h ; dwSize\r\n // 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect\r\n // 33 C9 xor ecx, ecx ; lpAddress\r\n // 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 32 of 34\n\n// FF ?? ?? ?? ?? ?? call cs:VirtualAlloc\r\n $shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF }\r\n condition:\r\n // MZ signature at offset 0 and ...\r\n uint16(0) == 0x5A4D and\r\n \r\n // ... PE signature at offset stored in MZ header at 0x3C\r\n uint32(uint32(0x3C)) == 0x00004550 and\r\n filesize \u003c 3000KB and $path_check and $shellcode_allocate and $shellcode_read\r\n}\r\nrule apt_CN_TwistedPanda_droppers {\r\n meta:\r\n author = \"Check Point Research\"\r\n description = \"Detect droppers used by TwistedPanda\"\r\n date = \"2022-04-14\"\r\n hash = \"59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291\"\r\n hash = \"8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248\"\r\n hash = \"f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66\"\r\n \r\n strings:\r\n // 81 FA ?? ?? ?? ?? cmp edx, 4BED1896h\r\n // 75 ?? jnz short loc_140001829\r\n // E8 ?? ?? ?? ?? call sub_1400019D0\r\n // 48 89 05 ?? ?? ?? ?? mov cs:qword_14001ED38, rax\r\n // E? ?? ?? ?? ?? jmp loc_1400018DD\r\n $switch_control = { 81 FA [4] 75 ?? E8 [4] 48 89 05 [4] E? }\r\n // 41 0F ?? ?? movsx edx, byte ptr [r9]\r\n // 44 ?? ?? or r8d, edx\r\n // 41 ?? ?? 03 rol r8d, 3\r\n // 41 81 ?? ?? ?? ?? ?? xor r8d, 0EF112233h\r\n // 41 ?? ?? mov eax, r10d\r\n $byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41 81 [5] 41 }\r\n // %public%\r\n $stack_strings_1 = { 25 00 70 00 }\r\n $stack_strings_2 = { 75 00 62 00 }\r\n $stack_strings_3 = { 6C 00 69 00 }\r\n $stack_strings_4 = { 63 00 25 00 }\r\n condition:\r\n // MZ signature at offset 0 and ...\r\n uint16(0) == 0x5A4D and\r\n \r\n // ... PE signature at offset stored in MZ header at 0x3C\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 33 of 34\n\nuint32(uint32(0x3C)) == 0x00004550 and\r\n filesize \u003c 3000KB and #switch_control \u003e 8 and all of ($stack_strings_*) and $byte_manipulation\r\n}\r\nSource: https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nhttps://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/\r\nPage 34 of 34\n\n https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/       \nxor_key[ebx], 50h // 89 F1 mov ecx, esi ; this // 6A 01 push 1 ; Size // 50 push eax ; Src // E8 ?? ?? ?? ?? call \nstr_append // 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx],  50h $decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8\n[4] 80 B3 } condition: // MZ signature at offset 0 and ... uint16(0) == 0x5A4D and // ... PE signature at offset \nstored in MZ header at 0x3C uint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 3000KB and #config_init \u003e 10\nand 2 of ($c2_cmd_*) and $decryption } rule apt_CN_TwistedPanda_SPINNER_2   { meta: author = \"Check Point\nResearch\" description = \"Detect an older variant of SPINNER payload used by TwistedPanda\"  date = \"2022-04- \n14\" hash = \"28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8\"      strings: // C7 ?? ?? ??\n00 00 00 mov dword ptr [eax+??], ?? // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? // C6 mov byte ptr [eax],\n0 $config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 } $c2_cmd_1 = { 01 00 03 10 } $c2_cmd_2 = { 02 00 01\n10 } $c2_cmd_3 = { 01 00 01 10 } $c2_cmd_4 = { 01 00 00 10 } $c2_cmd_5 = { 02 00 00 10 } // 80 B3 ?? ?? ??\n?? ?? xor ds:dd_encrypted_url[ebx],  50h // 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx] // 8B 56 14 mov edx,\n[esi+14h] // 8B C2 mov eax, edx // 8B 4E 10 mov ecx, [esi+10h] // 2B C1 sub eax, ecx // 83 F8 01 cmp eax, 1\n$decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 } condition: // MZ signature at\noffset 0 and ... uint16(0) == 0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C  \nuint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 3000KB and #config_init \u003e 10 and 2 of ($c2_cmd_*)  and\n$decryption } rule apt_CN_TwistedPanda_64bit_Loader   { meta: author = \"Check Point Research\" description =\n\"Detect the 64bit Loader DLL used by TwistedPanda\"  date = \"2022-04-14\" hash =   \n\"e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f\"     strings: // 48 8D ?? ?? ?? ?? ?? ??\n?? lea rdx, ds:2[rdx*2] // 48 8B C1 mov rax, rcx // 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h // 72 ?? jb short \nloc_7FFDF0BA1B48 $path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 } // 48 8B D0 mov rdx, rax ; lpBuffer // 41\nB8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead  // 48 8B CF mov rcx, rdi ; hFile // 48 8B D8 mov rbx,\nrax // FF ?? ?? ?? ?? call cs:ReadFile $shellcode_read  = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF} //\nBA F0 16 00 00 mov edx, 16F0h ; dwSize // 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect // 33 C9 xor ecx, ecx ;\nlpAddress // 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType  // FF ?? ?? ?? ?? ?? call cs:VirtualAlloc  \n$shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF } condition: // MZ signature at\noffset 0 and ... uint16(0) == 0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C  \nuint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 3000KB and $path_check and $shellcode_allocate and \n$shellcode_read } rule apt_CN_TwistedPanda_droppers   { meta: author = \"Check Point Research\" description =\n\"Detect droppers used by TwistedPanda\"  date = \"2022-04-14\" hash =   \n\"59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291\"     hash =  \n\"8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248\"     hash =  \n\"f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66\"     strings: // 81 FA ?? ?? ?? ?? cmp\nedx, 4BED1896h // 75 ?? jnz short loc_140001829 // E8 ?? ?? ?? ?? call sub_1400019D0 // 48 89 05 ?? ?? ?? ??\nmov cs:qword_14001ED38,  rax // E? ?? ?? ?? ?? jmp loc_1400018DD $switch_control = { 81 FA [4] 75 ?? E8 [4]\n48 89 05 [4] E? } // 41 0F ?? ?? movsx edx, byte ptr [r9] // 44 ?? ?? or r8d, edx // 41 ?? ?? 03 rol r8d, 3 // 41 81 ??\n?? ?? ?? ?? xor r8d, 0EF112233h // 41 ?? ?? mov eax, r10d $byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41\n81 [5] 41 } // %public% $stack_strings_1  = { 25 00 70 00 } $stack_strings_2 = { 75 00 62 00 } $stack_strings_3 =\n{ 6C 00 69 00 } $stack_strings_4 = { 63 00 25 00 } condition: // MZ signature at offset 0 and ... uint16(0) ==\n0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C uint32(uint32(0x3C)) == 0x00004550 and\nfilesize \u003c 3000KB and #switch_control \u003e 8 and all of ($stack_strings_*) and $byte_manipulation  } \n    Page 29 of 34",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/"
	],
	"report_names": [
		"twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes"
	],
	"threat_actors": [],
	"ts_created_at": 1776824349,
	"ts_updated_at": 1776824404,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b68421916f3de1fc79c3b903d55321070efa23d8.pdf",
		"text": "https://archive.orkl.eu/b68421916f3de1fc79c3b903d55321070efa23d8.txt",
		"img": "https://archive.orkl.eu/b68421916f3de1fc79c3b903d55321070efa23d8.jpg"
	}
}