{ "id": "da6ec3ed-5212-4715-bd79-7ec2fa4ff19b", "created_at": "2026-04-06T00:06:58.448889Z", "updated_at": "2026-04-10T03:37:36.750629Z", "deleted_at": null, "sha1_hash": "bc22c4cfb61575e352d6bf90f8fd106a241ad8e1", "title": "Rhetoric Foreshadows Cyber Activity in the South China Sea - crowdstrike.com", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 36577, "plain_text": "Rhetoric Foreshadows Cyber Activity in the South China Sea -\r\ncrowdstrike.com\r\nBy kozy\r\nArchived: 2026-04-05 15:32:59 UTC\r\nAs the increasingly aggressive rhetoric surrounding the conflict in the South China Sea (SCS) continues to\r\ndominate both Western and Chinese media headlines, multiple outlets and normally rational China-watchers seem\r\nto be focused on predicting the next policy miscalculation on either side. The outlooks posited appear to be getting\r\nprogressively hawkish as both the People’s Republic of China (PRC) and U.S. officials refuse to back down from\r\ntheir confrontational stances, which could be a long stand-off as the first Hague tribunal deciding if China’s nine-dash line is consistent with the UN Convention on the Law of the Sea (UNCLOS) does not start until July 2015.\r\nBut among the slew of U.S.-Sino relations’ experts dissecting every policy move, one modern yardstick of\r\nescalation seems to be mysteriously absent from the conversation: cyber reconnaissance. How quickly everyone\r\nseems to forget - just weeks ago, cyber security was one of the foremost topics in the media. Now the attention has\r\nturned to naval strategy and political posturing, ignoring the fact that, for developed world powers, military\r\ndoctrine is now inextricably linked with cyber capabilities. The world has previously witnessed the role joint\r\ncyber/kinetic warfare played in the 2008 Russo-Georgian conflict and more recently in the Russian-Ukrainian\r\nconflict, where cyber served as a means for kinetic disruption, dissemination of disinformation, and political\r\nsubversion.It would be a mistake to think that the PRC was not taking notes on the lessons learned through these\r\nmodern conflicts. According to sensitive source reporting, there have been several People’s Liberation Army\r\n(PLA) papers discussing such tactics and their effectiveness. Indeed the PRC has already recently used cyber\r\nreconnaissance as a precursor to other diplomatically sensitive strategic moves in the SCS. This includes the mid-2014 GOBLIN PANDA activity against the Vietnamese government during the HYSY-981 oilrig standoff.Around\r\nthe same time, the PRC’s efforts to quietly quell the Umbrella Revolution in Hong Kong bore fingerprints and\r\ntradecraft attributed to multiple PANDA groups, suggesting Beijing called several known groups off of their\r\nnormal targeting to address an issue of importance to the PRC government.Why should the present conflict be any\r\ndifferent? PRC-based actors such as PIRATE PANDA and LOTUS PANDA have already been observed\r\nincreasing their SCS-related targeting over the past 4-6 weeks, mostly against the Philippine\r\nmilitary.Reconnaissance and spear-phishing activity targeting U.S. and Australian military/defense forces would\r\nsignify a broader, more aggressive change to China’s strategy for enforcing its recent controversial SCS Air\r\nDefense Identification Zone (ADIZ) claims. No activity of this type has yet been observed, though given the\r\nfluidity of events over the past week, this is likely to change in the near future. Though China-based actors have\r\ntypically not demonstrated stealthy tradecraft against Western targets, the public disclosures over the past couple\r\nyears and the stakes of the present conflict may inspire slightly more awareness when targeting more advanced\r\nWestern military systems. Out of the adversaries recently observed as active in SCS-related targeting, GOBLIN\r\nPANDA’s absence is particularly noteworthy given that Vietnam is the other major claimant to the Spratly Islands,\r\nwhere the controversial island construction is taking place. As PIRATE and LOTUS PANDA have not been overly\r\ndiscreet about their recent targeting, it stands to reason that GOBLIN PANDA would not have improved its\r\ncapabilities enough in such a short time to be completely invisible, which suggests that GOBLIN PANDA may\r\nhttp://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/\r\nPage 1 of 2\n\nhave either changed tactics or has some other immediate focus at present time. Another measure of conflict\r\nescalation via cyber means would include increased activity from China’s patriotic hacker corps. These groups\r\nhave typically made up the third, less sophisticated, prong of PRC cyber forces, along with specialized military\r\nunits and civilian agencies like the Ministry of State Security (MSS) and Ministry of Public Security (MPS).As\r\npart of PRC militarized posturing, domestic services helping to control and regulate China’s nationalistic hackers,\r\nsuch as the MPS, generally relax their monitoring during times of conflict. This was first observed during the brief\r\nU.S.-China hacker war after the Hainan Island incident in 2001, when China’s patriotic hacker movement was at\r\nits peak.It occurred again in 2014 when the GOBLIN PANDAactivity was actually preceded by attacks and\r\ndefacements of Vietnamesegovernment websites by the nationalistic 1937cn Team prior to beingreigned in after\r\ntheir involvement in the incident was made public. While it is always possible a severe miscalculation or military\r\nincident can cause the current situation to erupt into violent conflict, both the U.S. and China have stated that they\r\nseek a peaceful way to resolve the dispute. Both countries have measured responses for avoiding military conflict\r\nand will likely utilize them fully. Watching for changes to the cyber landscape in the SCS still presents one of the\r\nbest indications of intent, as it has become a reliable precursor to armed conflict, which now depends on gaining\r\ncomplete information advantage over the adversary. Stay vigilant, friends.\r\nSource: http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/\r\nhttp://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" ], "report_names": [ "rhetoric-foreshadows-cyber-activity-in-the-south-china-sea" ], "threat_actors": [ { "id": "f21d7691-a720-46bb-81d7-11edb9f73eba", "created_at": "2023-11-08T02:00:07.126478Z", "updated_at": "2026-04-10T02:00:03.420826Z", "deleted_at": null, "main_name": "1937CN", "aliases": [], "source_name": "MISPGALAXY:1937CN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434018, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc22c4cfb61575e352d6bf90f8fd106a241ad8e1.pdf", "text": "https://archive.orkl.eu/bc22c4cfb61575e352d6bf90f8fd106a241ad8e1.txt", "img": "https://archive.orkl.eu/bc22c4cfb61575e352d6bf90f8fd106a241ad8e1.jpg" } }