{ "id": "25b0c151-7815-4c7c-9938-9b198714097f", "created_at": "2026-04-06T00:12:44.386072Z", "updated_at": "2026-04-10T03:33:22.315398Z", "deleted_at": null, "sha1_hash": "c4cdd952e7f7cba9fb4acfce16ce851fa9b471d9", "title": "Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 220843, "plain_text": "Chinese Hackers Target VMware Horizon Servers with Log4Shell\r\nto Deploy Rootkit\r\nBy The Hacker News\r\nPublished: 2022-04-01 · Archived: 2026-04-05 23:12:21 UTC\r\nA Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the Log4Shell\r\nvulnerability in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the\r\ngoal of stealing sensitive data.\r\n\"The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors\r\noccurred on the same dates,\" said Rotem Sde-Or and Eliran Voronovitch, researchers with Fortinet's FortiGuard\r\nLabs, in a report released this week. \"The victims belong to the financial, academic, cosmetics, and travel\r\nindustries.\"\r\nDeep Panda, also known by the monikers Shell Crew, KungFu Kittens, and Bronze Firestone, is said to have been\r\nactive since at least 2010, with recent attacks \"targeting legal firms for data exfiltration and technology providers\r\nfor command-and-control infrastructure building,\" according to Secureworks.\r\nhttps://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html\r\nPage 1 of 3\n\nCybersecurity firm CrowdStrike, which assigned the panda-themed name to the threat cluster all the way back in\r\nJuly 2014, called it \"one of the most advanced Chinese nation-state cyber intrusion groups.\"\r\nThe latest set of attacks documented by Fortinet shows that the infection procedure involved the exploitation of\r\nthe Log4j remote code execution flaw (aka Log4Shell) in vulnerable VMware Horizon servers to spawn a chain of\r\nintermediate stages, ultimately leading to the deployment of a backdoor dubbed Milestone (\"1.dll\").\r\nBased on the leaked source code of the infamous Gh0st RAT but with notable differences in the command-and-control (C2) communication mechanism employed, Milestone is also designed to send information about the\r\ncurrent sessions on the system to the remote server.\r\nAlso detected during the attacks is a kernel rootkit called \"Fire Chili\" that's digitally signed with stolen certificates\r\nfrom game development companies, enabling it to evade detection by security software and conceal malicious file\r\noperations, processes, registry key additions, and network connections.\r\nThis is achieved by means of ioctl (input/output control) system calls to hide the driver rootkit's registry key, the\r\nMilestone backdoor files, and the loader file and process used to launch the implant.\r\nFortinet's attribution to Deep Panda stems from overlaps between Milestone and Infoadmin RAT, a remote access\r\ntrojan used by the sophisticated hacking collective in the early 2010s, with additional clues pointing to tactical\r\nsimilarities to that of the Winnti group.\r\nThis is backed by the use of compromised digital signatures belonging to gaming companies, a target of choice for\r\nWinnti, as well as a C2 domain (gnisoft[.]com), which has been previously linked to the Chinese state-sponsored\r\nactor as of May 2020.\r\n\"The reason these tools are linked to two different groups is unclear at this time,\" the researchers said. \"It's\r\npossible that the groups' developers shared resources, such as stolen certificates and C2 infrastructure, with each\r\nother. This may explain why the samples were only signed several hours after being compiled.\"\r\nhttps://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html\r\nPage 2 of 3\n\nThe disclosure adds to a long list of hacking groups that have weaponized the Log4Shell vulnerability to strike\r\nVMware's virtualization platform.\r\nIn December 2021, CrowdStrike described an unsuccessful campaign undertaken by an adversary dubbed Aquatic\r\nPanda that leveraged the flaw to perform various post-exploitation operations, including reconnaissance and\r\ncredential harvesting on targeted systems.\r\nSince then, multiple groups have joined the fray, including the Iranian TunnelVision group, which was observed\r\nactively exploiting the Log4j logging library defect to compromise unpatched VMware Horizon servers with\r\nransomware.\r\nMost recently, cybersecurity company Sophos highlighted a slew of attacks against vulnerable Horizon servers\r\nthat have been ongoing since January and have been mounted by threat actors to illicitly mine cryptocurrency,\r\ninstall PowerShell-based reverse shells, or to deploy Atera agents to remotely deliver additional payloads.\r\n\"Attempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities\r\nbecause of their nature,\" Sophos researchers said, adding \"platforms such as Horizon are particularly attractive\r\ntargets to all types of malicious actors because they are widespread and can (if still vulnerable) easily found and\r\nexploited with well-tested tools.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html\r\nhttps://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html" ], "report_names": [ "chinese-hackers-target-vmware-horizon.html" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434364, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c4cdd952e7f7cba9fb4acfce16ce851fa9b471d9.pdf", "text": "https://archive.orkl.eu/c4cdd952e7f7cba9fb4acfce16ce851fa9b471d9.txt", "img": "https://archive.orkl.eu/c4cdd952e7f7cba9fb4acfce16ce851fa9b471d9.jpg" } }