{ "id": "c83be733-91a4-4113-93ee-a41135fa9207", "created_at": "2026-04-06T00:16:46.935104Z", "updated_at": "2026-04-10T03:37:21.61714Z", "deleted_at": null, "sha1_hash": "bca1058e620ada77efb5a8c2bb90d17827e4b726", "title": "Emissary Panda Attacks Middle East Government SharePoint Servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2729246, "plain_text": "Emissary Panda Attacks Middle East Government SharePoint Servers\r\nBy Robert Falcone, Tom Lancaster\r\nPublished: 2019-05-28 · Archived: 2026-04-05 17:36:49 UTC\r\nExecutive Summary\r\nIn April 2019, Unit 42 observed the Emissary Panda (AKA APT27, TG-3390, Bronze Union, Lucky Mouse) threat group\r\ninstalling webshells on SharePoint servers to compromise Government Organizations of two different countries in the\r\nMiddle East. We believe the adversary exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604, which is a remote code execution vulnerability used to compromise the server and eventually install a webshell.\r\nThe actors uploaded a variety of tools that they used to perform additional activities on the compromised network, such as\r\ndumping credentials, as well as locating and pivoting to additional systems on the network. Of particular note is their use of\r\ntools to identify systems vulnerable to CVE-2017-0144, which is the same vulnerability exploited by EternalBlue that is best\r\nknown for its use in the WannaCry attacks of 2017.\r\nThis activity appears related to campaigns exploiting CVE-2019-0604 mentioned in recent security alerts from Saudi\r\nArabian National Cyber Security Center and the Canadian Center for Cyber Security. In addition to the aforementioned post-exploitation tools, the actors used these webshells to upload legitimate executables that they would use DLL sideloading to\r\nrun a malicious DLL that has code overlaps with known Emissary Panda attacks. We also found the China Chopper webshell\r\non the SharePoint servers, which has also been used by the Emissary Panda threat group.\r\nIn this blog, we provide details of the tools and tactics we observed on these compromised SharePoint servers, explain how\r\nwe believe these connect to the Emissary Panda threat group, correlate our findings with those of the Saudi Arabian National\r\nCyber Security Center and the Canadian Center for Cyber Security, and provide indicators of compromise (IoCs) from our\r\nresearch. You can find the Adversary Playbook for the activity detailed in this blog here.\r\nAttack Overview\r\nThis webshell activity took place across three SharePoint servers hosted by two different government organizations between\r\nApril 1, 2019 and April 16, 2019, where actors uploaded a total of 24 unique executables across the three SharePoint servers.\r\nFigure 1 shows a timeline of when the files were uploaded to the three webshells. The timeline shows three main clusters of\r\nactivity across the three webshells, with activity occurring on two separate webshells (green and orange) within a very small\r\nwindow of time on April 2, 2019 and the activity involving the third webshell two weeks later on April 16, 2019. The actors\r\nuploaded several of the same tools to across these three webshells, which provides a relationship between the incidents and\r\nindicates that a single threat group is likely involved.\r\nFigure 1. Timeline of file uploads across three related webshells\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 1 of 11\n\nThe tools uploaded to the webshells range from legitimate applications such as cURL to post-exploitation tools such as\r\nMimikatz. The threat actors also uploaded tools to scan for and exploit potential vulnerabilities in the network, such as the\r\nwell-known SMB vulnerability patched in MS17-010 commonly exploited by EternalBlue to move laterally to other systems\r\non the network. We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated\r\nwith Emissary Panda. Based on the functionality of the various tools uploaded to the webshells, we believe the threat actors\r\nbreach the SharePoint servers to use as a beachhead, then attempt to move laterally across the network via stolen credentials\r\nand exploiting vulnerabilities.\r\nWebshells Installed\r\nAs previously mentioned, we found webshells installed on three SharePoint servers hosted at two different organizations,\r\ntwo of which had the same file name of errr.aspx and the other a filename of error2.aspx. The webshells were hosted at the\r\nfollowing paths on the compromised servers:\r\n/_layouts/15/error2.aspx\r\n/_layouts/15/errr.aspx\r\nWe were able to gather one of the webshells with which we saw the actor interacting, specifically the error2.aspx file listed\r\nabove. The error2.aspx file (SHA256: 006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38) is a\r\nvariant of the Antak webshell, which is part of a tool created for red teaming called Nishang. The specific variant of Antak in\r\nerror2.aspx is version v0.5.0, which is an older version of the webshell that was updated in August 2015 to v0.7.6 to include\r\nsome basic authentication functionality and the ability to perform SQL queries. It’s possible the actors obtained Antak v0.5.0\r\nvia the Nishang GitHub repository or from SecWiki’s GitHub that also has the v0.5.0 version of Antak. Figure 2 shows the\r\nAntak webshell loaded on one of the Sharepoint servers.\r\nFigure 2. Antak webshell ‘error2.aspx’ used to upload post-exploitation tools\r\nWhile we observed the threat actor uploading additional tools to the Antak webshell above, the Sharepoint server also had\r\nseveral other webshells installed. The additional webshells, specifically stylecs.aspx, stylecss.aspx, and test.aspx are listed in\r\nTable 1, and appear related to the China Chopper webshell. We cannot be sure all of these webshells were installed by the\r\nsame actors, as multiple actors could have exploited the SharePoint server. For instance, the China Chopper-related\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 2 of 11\n\nwebshells are one-line of JScript code that could be easily copied and used by multiple groups, and the Antak webshell is\r\neasily obtained from publicly accessible repositories. However, the installation of China Chopper and the uploading of\r\nEmissary Panda related custom payloads to the Antak webshell suggests they are likely related, as this threat group has used\r\nChina Chopper to compromise servers in the past.\r\nFilename SHA256\r\nstylecs.aspx 2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86\r\nstylecss.aspx d1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe\r\ntest.aspx 6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378\r\nTable 1. Additional webshells hosted on Sharepoint server\r\nThe stylecs.aspx webshell provides fairly significant functionality, as its developer wrote this webshell in JScript that\r\nultimately runs any supplied JScript code provided to it within the HTTP request. Figure 3 shows this webshell’s code that\r\nwill run supplied JScript provided in base64 encoded format within the URL within a parameter\r\ne358efa489f58062f10dd7316b65649e. The parameter e358efa489f58062f10dd7316b65649e is interesting as it is the MD5\r\nhash for the letter ‘t’, which is a known parameter for China Chopper as mentioned in the next section.\r\nFigure 3. China Chopper code found in stylecs.aspx webshell on SharePoint server\r\nThe stylecss.aspx webshell is very similar to the stylecs.aspx, as it runs JScript provided within the\r\ne358efa489f58062f10dd7316b65649e parameter of the URL; however, the stylecss.aspx webshell does not accept base64\r\nencoded JScript, but expects the JScript in cleartext that the actor would provide as URL safe text. Figure 4 shows the code\r\nwithin stylecss.aspx, which when compared to Figure 3 above shows the lack of the base64 decoding function\r\n‘FromBase64String’.\r\nFigure 4. China Chopper code found in stylecss.aspx webshell on SharePoint server\r\nThe last webshell extracted from the Sharepoint server had a filename of test.aspx, which is very similar to the stylecs.aspx\r\nwebshell as it runs base64 encoded JScript provided in the URL of the request. However, the test.aspx webshell uses a\r\nparameter related to the compromised organization to obtain the base64 encoded JScript that it will run and display within\r\nthe browser. The test.aspx shell also includes code that sets the HTTP response status to a 404 Not Found, which will display\r\nan error page but will still run the provided JScript. Figure 5 shows the code within the test.aspx file.\r\nFigure 5. China Chopper code found in test.aspx webshell on SharePoint server\r\nLinks to Security Advisories\r\nIn April 2019, several national security organizations released alerts on CVE-2019-0604 exploitation, including the Saudi\r\nArabian National Cyber Security Center and the Canadian Center for Cyber Security. Both of these alerts discussed\r\ncampaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell.\r\nWhile we cannot confirm all of the claims made in these advisories, we noticed overlaps in the webshell code hosted on the\r\ncompromised SharePoint servers we observed and the webshells mentioned in these advisories.\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 3 of 11\n\nThe Saudi Arabian National Cyber Security Center’s alert provided details regarding the activities carried out by the\r\nadversary. This alert also displayed the code associated with the China Chopper webshell observed in the attacks, which\r\nincluded Request.Item[\"t\"] to obtain JScript code from the ‘t’ parameter of the URL. As mentioned in the previous section,\r\nstylecs.aspx and stylecss.aspx both used a parameter of e358efa489f58062f10dd7316b65649e, which is the MD5 hash of ‘t’.\r\nThis may suggest the actor modified the script slightly between the attack we observed, and the attack mentioned in the\r\nNCSC advisory, all while retaining the same functionality. Also, the NCSC advisory mentioned that the actors used a file\r\nname stylecss.aspx for their webshell, which is the same filename we saw associated with China Chopper.\r\nThe alert from the Canadian Center for Cyber Security included the SHA256 hashes of the files associated with the\r\ncampaign, one of which was 05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4 for a file named\r\npay.aspx. The pay.aspx file is part of the China Chopper webshell and is very similar to the stylecss.aspx webshell we\r\ndiscussed above, with the only major difference is the URL parameter of ‘vuiHWNVJAEF’ within the URL that pay.aspx\r\nwebshell uses to obtain and run JScript. Figure 6 below shows a comparison between the stylecss.aspx and pay.aspx files.\r\nFigure 6. Comparison between stylecss.aspx webshell and pay.aspx webshell discussed in Canadian Center for Cyber\r\nSecurity advisory\r\nTools Uploaded\r\nDuring our research into this attack campaign, Unit 42 gathered several tools that the actor uploaded to the three webshells\r\nat the two government organizations. The chart in Figure 7 shows the same tools being uploaded to the webshells, which\r\nprovided an initial linkage between the activities. One of the overlapping tools uploaded to the webshells is the legitimate\r\ncURL application, which could be used by multiple groups. The other overlapping files are tools used by the adversary to\r\nlocate other systems on the network (etool.exe), check to see if they are vulnerable to CVE-2017-0144 (EternalBlue)\r\npatched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to\r\nPsExec offered by Impacket (psexec.exe). These tools are not custom made by the adversary but still provide a medium\r\nconfidence linkage between the activities. We also observed the actors uploading the HyperBro backdoor to one of the\r\nwebshells, as well as legitimate executables that would sideload malicious DLLs that have overlapping code associated with\r\nknown Emissary Panda activity.\r\nFigure 7. Relationships between tools uploaded to the three webshells hosted on SharePoint servers\r\nThe actors uploaded 10 portable executables to the error2.aspx webshell, as seen in Table 2. The list of tools uploaded to this\r\nwebshell includes legitimate applications, such as cURL and a component of Sublime Text used to sideload a malicious\r\nDLL, which we will discuss in an upcoming section. The list also includes several hack tools, such as Mimikatz for\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 4 of 11\n\ncredential dumping and several compiled python scripts used to locate and compromise other systems on the local network.\r\nLastly, we saw the actor uploading a custom backdoor called HyperBro, which has been associated with Emissary Panda\r\noperations in the past. We will provide an analysis of the HyperBro tool in an upcoming section.\r\nFilename SHA256 Description\r\nm2.exe b279a41359367408c627ffa8d80051ed0f04c76fbf6aed79b3b2963203e08ade Packed Mimikatz tool.\r\npsexec.exe 7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7 Compiled Impacket psexec\r\ns.exe 04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462 HyperBro backdoor\r\ncurl.exe abc16344cdfc78f532870f4dcfbb75794c9a7074e796477382564d7ba2122c7d Legitimate cURL\r\ncurl.exe bbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab Legitimate cURL\r\nchecker1.exe 090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98\r\nCompiled EternalBlue checker\r\nscript\r\netool.exe 38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c\r\nC# Tool, likely from\r\nhttps://github.com/mubix/netvie\r\nplugin_host.exe 738abaa80e8b6ed21e16302cb91f6566f9322aebf7a22464f11ee9f4501da711\r\nLegitimate Sublime Text plugin\r\nhost\r\nPYTHON33.dll 2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528\r\nSideloaded DLL loaded by\r\nSublime Text\r\ncurl.exe bbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab Legitimate cURL.\r\nTable 2. Unique tools uploaded to the error2.aspx webshell installed on a SharePoint server\r\nWe saw 17 tools uploaded to the errr.aspx webshell hosted on the SharePoint server of one of the government organizations,\r\nwhich is in the middle of the chart in Figure 7. Table 3 shows all of the tools we observed the actor uploading to the\r\nwebshell, which includes a list of tools used to dump credentials, locate, and exploit remote systems, as well as pivoting to\r\nother systems on the network.\r\nFilename SHA256 Description\r\nsmb1.exe 88027a44dc82a97e21f04121eea2e86b4ddf1bd7bbaa4ad009b97b50307570bd\r\nSMB backdoor based on\r\nsmbrelay3\r\nmcmd.exe 738128b4f42c8d2335d68383d72734130c0c4184725c06851498a4cf0374a841 Compiled zzz_exploit.py\r\nmcafee.exe 3bca0bb708c5dad1c683c6ead857a5ebfa15928a59211432459a3efa6a1afc59 Compiled zzz_exploit.py\r\ndump.exe 29897f2ae25017455f904595872f2430b5f7fedd00ff1a46f1ea77e50940128e pwdump\r\nchecker1.exe d0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333 Compiled MS17-010 checker\r\nmemory.exe a18326f929229da53d4cc340bde830f75e810122c58b523460c8d6ba62ede0e5 Packed Mimikatz\r\nchecker.exe 090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98 Compiled MS17-010 checker\r\npsexec.exe 7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7 Compiled Impacket psexec.\r\netool.exe 38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c\r\nC# Tool, likely from\r\nhttps://github.com/mubix/netv\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 5 of 11\n\nsmb.exe 4a26ec5fd16ee13d869d6b0b6177e570444f6a007759ea94f1aa18fa831290a8\r\nSMB backdoor based on\r\nsmbrelay3\r\nagent_Win32.exe b2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9 Termite\r\nsmb_exec.exe 475c7e88a6d73e619ec585a7c9e6e57d2efc8298b688ebc10a3c703322f1a4a7 httprelay\r\ncurl.exe bbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab Legitimate cURL\r\nincognito.exe 9f5f3a9ce156213445d08d1a9ea99356d2136924dc28a8ceca6d528f9dbd718b Incognito  \r\nnbtscan.exe c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e nbtscan\r\nfgdump.exe a6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86 pwdump\r\nsmbexec.exe e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee Compiled Impacket smbexec\r\nTable 3. Unique tools uploaded to the errr.aspx webshell installed on a SharePoint server\r\nTwo of the tools, specifically the compiled zzz_exploit.py and checker.py suggest the actor would check and exploit remote\r\nsystems if they were not patched for MS17-010, which patched the CVE-2017-0144 (EternalBlue) vulnerability. Also, the\r\nuse of the Mimikatz and pwdump tools suggests the adversary attempts to dump credentials on compromised systems. We\r\nwere able to gather the command line arguments the actor used to run the SMB backdoor smb1.exe. The following\r\narguments shows the actor using the SMB backdoor to attempt to run a batch script m.bat on a remote host using a domain\r\nusername and the account’s password hash:\r\nc:\\programdata\\smb1.exe \u003credacted 10.0.0.0/8 IP\u003e \u003credacted domain\u003e\\\u003credacted username\u003e :\u003credacted password hash\u003e\r\nwinsk c:\\programdata\\m.bat\r\nWe saw far fewer portable executable files uploaded to the second errr.aspx webshell, specifically the 3 files seen in Table 4.\r\nThe files uploaded to this webshell included the same compiled python script that would scan remote systems that were\r\nvulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell. Also, we observed the\r\nactor uploading a legitimate Microsoft application that would sideload a malicious DLL, of which was very similar to the\r\nDLL sideloaded by the Sublime Text plugin host that was uploaded to the error2.aspx webshell.\r\nFilename SHA256 Description\r\nchecker1.exe d0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333\r\nCompiled\r\nMS17-010\r\nchecker\r\nCreateMedia.exe 2bb22c7b97e4c4d07e17a259cbc48d72f7e3935aa873e3dd78d01c5bbf426088\r\nLegitimate\r\nCreateMedia.exe\r\napplication from\r\nMicrosoft's\r\nSystem Center\r\n2012\r\nConfiguration\r\nManager\r\nCreateTsMediaAdm.dll 06510504f30feb1adc7e423d5a24e67e5b97acbfafe40f253a054be8b1c4e8d7\r\nSideloaded DLL\r\nloaded by\r\nCreateMedia.exe\r\nTable 4. Unique tools uploaded to the errr.aspx webshell installed on a SharePoint server\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 6 of 11\n\nEmissary Panda Specific Tools\r\nMany of the tools uploaded to these webshells are hacking tools that are publicly accessible and could be used by multiple\r\nthreat actors. However, several of the tools uploaded to the webshells appear to be custom made and likely related to the\r\nEmissary Panda threat group.\r\nHyperBro\r\nThe s.exe (SHA256: 04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462) uploaded to the\r\nerror2.aspx webshell is a self-extracting 7-zip archive that is an example of the HyperBro backdoor. According to Kaspersky\r\nand SecureWorks research, HyperBro is a custom backdoor developed and used by Emissary Panda in their attack\r\ncampaigns. This sample of HyperBro is similar to the sample discussed in Kaspersky’s research, specifically using a\r\nlegitimate pcAnywhere application to sideload a DLL to decrypt, decompress and run a payload embedded within a file\r\nnamed ‘thumb.db’. Table 5 shows the three files associated with this HyperBro sample, which have the same file names as\r\nthe self-extracting 7zip archives mentioned in Kaspersky’s blog (SHA256 hashes:\r\n34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa and\r\n2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233).\r\nFilename SHA256 Description\r\nthinprobe.exe 76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af\r\nSymantec\r\npcAnywhere\r\nthinprobe\r\napplication\r\nthinhostprobedll.dll d40414b1173d59597ed1122361fe60303d3526f15320aede355c6ad9e7e239af\r\nSideloaded DLL\r\nloaded by\r\nthinprobe.exe\r\nthumb.db 270ea24f2cef655bd89439ab76c1d49c80caaa8899ffa6f0ef36dc1beb894530\r\nContains\r\nencrypted and\r\ncompressed\r\nDLL payload\r\nrun by\r\nsideloaded DLL\r\nTable 5. Files associated with the HyperBro tool uploaded to webshell on SharePoint server\r\nThe functional payload is a DLL compiled on 2019-03-11 02:23:54, which has two functionalities depending if the binary\r\nhas a command line argument -daemon or -worker passed to it. The daemon functionality handles the C2 communications\r\nportion of the Trojan, which is configured to communicate with 185.12.45[.]134 over HTTPS using the following URL:\r\nhxxps://185.12.45[.]134:443/ajax\r\nThe worker functionality acts on the data received from the C2 server, which is passed from the daemon to the worker via a\r\nnamed pipe called \"\\\\.\\pipe\\testpipe\". The worker subjects the received data to a command handler whose available\r\ncommands are listed in Table 6.  \r\nCommand Sub-command Description\r\n0x12 File manager\r\n0x10 Enumerate logical storage volumes\r\n0x11 Delete a specified file\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 7 of 11\n\n0x12 Upload a file\r\n0x13 Download a file\r\n0x17 List contents of a folder\r\n0x19 Run an application (CreateProcessW) or script/file (ShellExecuteW)\r\n0x13 Execute command on shell\r\n0x16 Takes screenshot\r\n0x19 Runs shellcode it injects into a newly created process 'msiexec.exe'\r\n0x1a Kill specific process\r\n0x1e Service manager\r\n0x17 List all services and their configurations\r\n0x19 Start a specified service\r\n0x1a Stop a specified service\r\nTable 6. The commands available within the HyperBro tool’s command handler\r\nUnknown Sideloaded Payloads\r\nTable 2 and 4 above include two legitimate executables used for DLL sideloading, specifically the plugin_host.exe\r\napplication for Sublime Text and the CreateMedia.exe application from Microsoft's System Center 2012 Configuration\r\nManager. The plugin_host.exe application imports several functions from a library named python33, which is how the\r\nlegitimate application sideloads the malicious DLL named PYTHON33.dll. This is the first instance we have observed\r\nSublime Text’s plugin host application used for sideloading. Like the plugin host application, the CreateMedia.exe\r\napplication imports several functions from a library named CreateTsMediaAdm that is leveraged to load the malicious DLL\r\nnamed CreateTsMediaAdm.dll.\r\nThe PYTHON33.dll and the CreateTsMediaAdm.dll libraries are very similar with BinDiff providing a 97% similarity with\r\n99% confidence between the two DLLs. The code diff in Figure 8 shows the decryption routine in PYTHON33.dll (right)\r\nand CreateTsMediaAdm.dll (left), both of which use an eight byte XOR key to decrypt a piece of shikata_ga_nai obfuscated\r\nshellcode. The shellcode is responsible for patching the entry point of the legitimate application to call another function in\r\nthe shellcode that is responsible for loading a file with the library name with an .hlp extension (PYTHON33.hlp or\r\nCreateTsMediaAdm.hlp).\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 8 of 11\n\nFigure 8. Code comparison between the sideloaded CreateTsMediaAdm.dll and PYTHON33.dll files uploaded to two\r\nwebshells\r\nUnfortunately, we do not have access to the PYTHON33.hlp or CreateTsMediaAdm.hlp files, so we do not know the final\r\npayload loaded by either of these DLLs. However, using NCC Group’s research published in May 2018, we were able to\r\ndiscover code overlaps between these DLLs and a sideloaded DLL that ran the SysUpdate tool that the NCC group has\r\nassociated with an Emissary Panda campaign. Figure 9 shows a code comparison between the PYTHON33.dll (right) and\r\ninicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822), which was\r\nsideloaded to run the SysUpdate tool in a previous Emissary Panda campaign. The code overlaps below include the same\r\ntechnique to find the entry point of the loading executable and decrypting the first piece of shellcode used to patch the entry\r\npoint.\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 9 of 11\n\nFigure 9. Code comparison between the sideloaded PYTHON33.dll uploaded to webshell and the inicore_v2.3.30.dll file\r\nsideloaded in previous Emissary Panda attacks\r\nConclusion\r\nThe Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government\r\norganizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution\r\nvulnerability in SharePoint tracked in CVE-2019-0604. According to Microsoft’s advisory, this vulnerability was patched on\r\nMarch 12, 2019 and we first saw the webshell activity on April 1, 2019. This suggests that the threat group was able to\r\nquickly leverage a known vulnerability to exploit Internet facing servers to gain access to targeted networks.\r\nOnce the adversary established a foothold on the targeted network, they used China Chopper and other webshells to upload\r\nadditional tools to the SharePoint server to dump credentials, perform network reconnaissance and pivot to other systems.\r\nWe believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-\r\n0144 (EternalBlue) vulnerability patched in MS17-010. We also observed the actors uploading legitimate tools that would\r\nsideload DLLs, specifically the Sublime Text plugin host and the Microsoft’s Create Media application, both of which we\r\nhad never seen used for DLL sideloading before.\r\nPalo Alto Networks customers are protected by:\r\nThe CVE-2019-0604 vulnerability is covered by our IPS signature Microsoft Sharepoint Remote Code Execution\r\nVulnerability (55411)\r\nAll illegitimate tools uploaded to the webshells are marked with malicious verdicts by WildFire and Traps.\r\nAutoFocus customers can track the custom Emissary Panda payload seen uploaded to the webshell using the\r\nHyperBro tag, but can also track the hack tools using the following tags (note the hack tools are used by multiple\r\nactors and not just Emissary Panda):\r\nSmbExec\r\nPsExec\r\nPsExec_Python\r\nBChecker\r\nZZZ_Exploit\r\nTermite\r\nIncognito\r\nPwDump\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers\r\nand to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit\r\nwww.cyberthreatalliance.org.\r\nIOCs\r\nWebshells SHA256\r\n006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38\r\n2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86\r\nd1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe\r\n6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378\r\nMalicious HackTools and Payloads SHA256\r\n88027a44dc82a97e21f04121eea2e86b4ddf1bd7bbaa4ad009b97b50307570bd\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 10 of 11\n\n738128b4f42c8d2335d68383d72734130c0c4184725c06851498a4cf0374a841\r\n3bca0bb708c5dad1c683c6ead857a5ebfa15928a59211432459a3efa6a1afc59\r\n29897f2ae25017455f904595872f2430b5f7fedd00ff1a46f1ea77e50940128e\r\nd0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333\r\na18326f929229da53d4cc340bde830f75e810122c58b523460c8d6ba62ede0e5\r\n090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98\r\n7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7\r\n38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c\r\n4a26ec5fd16ee13d869d6b0b6177e570444f6a007759ea94f1aa18fa831290a8\r\nb2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9\r\n475c7e88a6d73e619ec585a7c9e6e57d2efc8298b688ebc10a3c703322f1a4a7\r\n9f5f3a9ce156213445d08d1a9ea99356d2136924dc28a8ceca6d528f9dbd718b\r\nc9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e\r\na6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86\r\ne781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee\r\nd0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333\r\n06510504f30feb1adc7e423d5a24e67e5b97acbfafe40f253a054be8b1c4e8d7\r\nb279a41359367408c627ffa8d80051ed0f04c76fbf6aed79b3b2963203e08ade\r\n7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7\r\n04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462\r\n090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98\r\n38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c\r\n2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528\r\nHyperBro C2\r\nhxxps://185.12.45[.]134:443/ajax\r\n185.12.45[.]134\r\nSource: https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" ], "report_names": [ "emissary-panda-attacks-middle-east-government-sharepoint-servers" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434606, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bca1058e620ada77efb5a8c2bb90d17827e4b726.pdf", "text": "https://archive.orkl.eu/bca1058e620ada77efb5a8c2bb90d17827e4b726.txt", "img": "https://archive.orkl.eu/bca1058e620ada77efb5a8c2bb90d17827e4b726.jpg" } }