Emissary Panda, APT 27, LuckyMouse, Bronze Union Archived: 2026-04-02 10:52:11 UTC Home > List all groups > Emissary Panda, APT 27, LuckyMouse, Bronze Union APT group: Emissary Panda, APT 27, LuckyMouse, Bronze Union Names Emissary Panda (CrowdStrike) APT 27 (Mandiant) LuckyMouse (Kaspersky) Bronze Union (Secureworks) TG-3390 (SecureWorks) TEMP.Hippo (Symantec) Budworm (Symantec) Group 35 (Talos) ATK 15 (Thales) Iron Tiger (Trend Micro) Earth Smilodon (Trend Micro) Red Phoenix (PWC) ZipToken (?) Iron Taurus (Palo Alto) Circle Typhoon (Microsoft) Linen Typhoon (Microsoft) G0027 (MITRE) Country China Motivation Information theft and espionage First seen 2010 Description Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sector Emissary Panda has some overlap with Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu Kittens and possibly UNC2 This actor worked together with TA428 in Operation StealthyTrident. Observed Sectors: Aerospace, Aviation, Defense, Education, Embassies, Government, Manufacturing, Technology, Telecommunications, Countries: Australia, Canada, China, Germany, Hong Kong, India, Iran, Israel, Japan, Mongolia, Philippines, Russia, Spain, So Thailand, Tibet, Turkey, UK, USA and Middle East. Tools used Antak, ASPXSpy, China Chopper, Gh0st RAT, gsecdump, HTTPBrowser, HTran, Hunter, HyperBro, Mimikatz, Nishang, Owa PsExec, SysUpdate, TwoFace, Windows Credentials Editor, ZXShell, Living off the Land. Operations performed 2010 Operation “Iron Tiger” Operation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of data from defense co including stolen emails, intellectual property, strategic planning documents – data and records that could be u organization. 2015 Penetration of networks for industrial espionage Designated as Threat Group 3390 and nicknamed “Emissary Panda” by researchers, the hacking group has c networks largely through “watering hole” attacks launched from over 100 compromised legitimate websites, were known to be frequented by those targeted in the attack. Jul 2017 Operation “PZChao” The past few years have seen high-profile cyber-attacks shift to damaging the targets’ digital infrastructures t data, silently monitoring the victim and constantly laying the ground for a new wave of attacks. This is also the case of a custom-built piece of malware that we have been monitoring for several months as Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have ke https://apt.etda.or.th/cgi-bin/showcard.cgi?u=960355e3-27d8-4e62-a4cc-a807f031865f Page 1 of 3 since. Mar 2018 Campaign targeting a national data center in the Central Asia The choice of target made this campaign especially significant – it meant the attackers gained access to a wid resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in websites in order to conduct watering hole attacks. Apr 2018 Operation “SpoiledLegacy” We have been monitoring a campaign targeting Vietnamese government and diplomatic entities abroad since Apr 2019 In April 2019, Unit 42 observed the Emissary Panda (AKA APT27, TG-3390, Bronze Union, Lucky Mouse) webshells on Sharepoint servers to compromise Government Organizations of two different countries in the Summer 2019 Operation “DRBControl” 2020 APT27 Turns to Ransomware 2020 Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware Apr 2020 Investigation with a twist: an accidental APT attack and averted data destruction Mar 2021 Exchange servers under siege from at least 10 APT groups Mar 2021 German government warns of APT27 activity targeting local companies Apr 2022 Budworm: Espionage Group Returns to Targeting U.S. Organizations May 2022 LuckyMouse uses a backdoored Electron app to target MacOS Jul 2022 Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting Aug 2022 Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users MITRE ATT&CK Playbook Last change to this card: 16 August 2025 Download this actor card in PDF or JSON format https://apt.etda.or.th/cgi-bin/showcard.cgi?u=960355e3-27d8-4e62-a4cc-a807f031865f Page 2 of 3 Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=960355e3-27d8-4e62-a4cc-a807f031865f https://apt.etda.or.th/cgi-bin/showcard.cgi?u=960355e3-27d8-4e62-a4cc-a807f031865f Page 3 of 3