Aquatic Panda

Background

Aquatic Panda is a China-nexus threat actor that exhibits the dual-mission profile characteristic of MSS-affiliated groups — simultaneously conducting cyber espionage for intelligence collection and supporting broader Chinese industrial development through intellectual property theft. The group has been active since at least 2018 and gained significant attention in December 2021 when CrowdStrike's Falcon OverWatch team caught them in real-time exploiting the critical Log4Shell vulnerability (CVE-2021-44228) to target an academic institution.

Microsoft tracks this actor as Charcoal Typhoon, reflecting its classification within Microsoft's actor taxonomy as a China-based threat. The group has demonstrated a sophisticated ability to rapidly weaponize newly disclosed critical vulnerabilities, with the Log4Shell exploitation occurring within days of the vulnerability's public disclosure — demonstrating both technical preparation and an active vulnerability research capability.

Aquatic Panda is assessed to operate primarily in support of China's intelligence requirements against Western technology and academic institutions, with a secondary track of targeting organizations that develop or hold sensitive dual-use technologies. The group's operations are consistent with MSS-aligned groups tasked with supporting Made in China 2025 objectives, targeting sectors including next-generation telecommunications, advanced manufacturing, and life sciences research.

Notable Campaigns

Log4Shell Zero-Day Exploitation (December 2021) — CrowdStrike publicly documented Aquatic Panda exploiting CVE-2021-44228 (Log4Shell) within days of its disclosure. The group targeted an academic institution's VMware Horizon infrastructure, deploying Cobalt Strike beacons for post-compromise access. The CrowdStrike investigation allowed defenders to interrupt the intrusion in progress, providing rare real-time visibility into Aquatic Panda's methodology.

COVID-19 Research Targeting (2020-2021) — Aquatic Panda was among multiple Chinese APT groups targeting pharmaceutical companies, academic medical research centers, and biodefense organizations during the COVID-19 pandemic. The group sought vaccine research, clinical trial data, and proprietary therapeutic research. Attribution was challenging due to overlapping toolsets with other China-nexus actors.

Telecommunications Infrastructure Targeting (2019-2023) — The group has sustained a campaign against telecommunications companies, particularly those involved in 5G network development and deployment. Operations focused on network architecture documentation, configuration data, and R&D information from carriers and equipment manufacturers.

Technology and Defense Industrial Base (2021-2024) — Aquatic Panda has targeted technology companies and defense contractors, particularly those with operations in Taiwan or involved in semiconductor design and manufacturing. The group's targeting of academic institutions appears focused on recruiting technical talent intelligence and accessing cutting-edge research before commercialization.

Tactics, Techniques & Procedures

Rapid Vulnerability Exploitation — Aquatic Panda demonstrates a consistent pattern of rapidly weaponizing newly disclosed critical vulnerabilities, particularly in internet-facing enterprise products. The Log4Shell exploitation demonstrated the group's ability to integrate new exploits into operational workflows within days of public disclosure (T1190). The group has also exploited vulnerabilities in VMware, Microsoft Exchange, and Zoho ManageEngine.

Cobalt Strike-Centric Operations — Post-exploitation operations center on Cobalt Strike Beacon for command and control. The group customizes Beacon configurations to use legitimate-looking domains and HTTPS certificates to blend with normal enterprise traffic. Beacon is used for internal reconnaissance, lateral movement, and staging exfiltration.

Credential Harvesting and Persistence — The group uses Mimikatz and procdump for credential harvesting (T1003.001), followed by Pass-the-Hash or Pass-the-Ticket for lateral movement. Persistence is achieved via registry run keys (T1547.001) and web shells (T1505.003) on internet-facing servers. The group favors web shells on VMware Horizon Connection Server instances as persistent access mechanisms.

Living-Off-the-Land — Aquatic Panda uses built-in Windows tools including certutil for payload download and WMI for lateral movement to minimize unique binary artifacts. PsExec is used for remote execution across compromised systems. The group's use of PlugX for a secondary access channel is consistent with Chinese APT standard practice.

Tools & Malware

• Cobalt Strike — Commercial post-exploitation framework used as the primary C2 mechanism. Customized with domain fronting and malleable C2 profiles to evade network detection.
• PlugX — Modular remote access trojan widely used by Chinese APT groups. Provides file management, keylogging, and remote shell capabilities. Used as a secondary persistent access channel.
• FishMaster — A custom APT backdoor unique to Aquatic Panda, providing remote access functionality with C2 over HTTP/HTTPS using encoded parameters.
• Mimikatz — Credential harvesting tool used to extract NTLM hashes, Kerberos tickets, and plaintext credentials from LSASS memory.
• procdump — Legitimate Windows Sysinternals tool used to dump LSASS memory for offline credential extraction.
• njRAT — A commodity remote access trojan used alongside custom tools, particularly in early-stage operations.
• certutil — A legitimate Windows Certificate Services utility used to download payloads and decode base64-encoded content.

Indicators & Detection

Patch and Vulnerability Management — Aquatic Panda's rapid exploitation of newly disclosed vulnerabilities requires an aggressive patch cycle for internet-facing infrastructure. Prioritize emergency patching for critical vulnerabilities in VMware, Microsoft, and other enterprise products within 48 hours of disclosure. Monitor exploit activity logs for exploitation attempts against recently disclosed CVEs.

VMware and Enterprise Application Monitoring — Monitor VMware Horizon Connection Server logs for anomalous authentication events and web shell creation. Alert on unexpected child processes spawned by Java processes (a Log4Shell indicator). Monitor IIS and Apache web server logs for web shell access patterns including short-duration connections with large response sizes from unexpected source IPs.

Cobalt Strike Detection — Detect Cobalt Strike beacons through network signatures including distinctive HTTPS JA3 fingerprints, periodic beacon intervals (typically 60-second default), and malleable C2 profile indicators. Use tools like JARM fingerprinting to identify Cobalt Strike team servers. Monitor DNS for beacon check-in traffic patterns.

Credential Protection — Implement Credential Guard on Windows 10/11 systems to protect LSASS from memory dumping attacks. Monitor process access to lsass.exe and alert on non-system processes reading LSASS memory. Require hardware MFA for all privileged account authentication to mitigate the impact of credential theft.