Adversary | Emissary Panda

Also Known As

APT27 | Group 35 | ZipToken | HippoTeam | Iron Tiger APT | Bronze Union | Lucky Mouse | TG-3390 | TEMP.Hippo

Origin

China

Target Countries

Saudi Arabia | Qatar | India | Kazakhstan | Spain | United Kingdom | United States

Targeted Verticals

Government | Military

Healthcare

Telecommunications

Retail | Commercial

MITRE TTPs

Abuse Elevation Control Mechanism: Bypass User Account Control

Account Discovery: Local Account

Application Layer Protocol: Web Protocols

Archive Collected Data: Archive via Library

Automated Collection

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Windows Command Shell

Create or Modify System Process: Windows Service

Data from Local System

Data Staged: Local Data Staging

Data Staged: Remote Data Staging

Data Transfer Size Limits

Deobfuscate/Decode Files or Information

Drive-by Compromise

Exploitation for Client Execution

Exploitation for Privilege Escalation

Exploitation of Remote Services

External Remote Services

Hijack Execution Flow: DLL Search Order Hijacking

Hijack Execution Flow: DLL Side-Loading

Impair Defenses: Disable Windows Event Logging

Indicator Removal on Host: File Deletion

Indicator Removal on Host: Network Share Connection Removal

Ingress Tool Transfer

Input Capture: Keylogging

Modify Registry

Network Service Scanning

Obfuscated Files or Information

OS Credential Dumping: LSA Secrets

OS Credential Dumping: LSASS Memory

OS Credential Dumping: Security Account Manager

Process Injection: Process Hollowing

Query Registry

Remote Services: Windows Remote Management

Remote System Discovery

Scheduled Task/Job: At (Windows)

Server Software Component: Web Shell

System Network Configuration Discovery

System Network Connections Discovery

Valid Accounts

Windows Management Instrumentation