Home/ Threat Actors/ Aquatic Panda

🌐Aquatic Panda

🌐 Aquatic Panda is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 35 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0143) ↗

14Use cases

0Articles

35Techniques

0IOCs

About this actor (MITRE)

[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021)

Known aliases

Aquatic Panda

Top techniques

T1003.001 · LSASS Memory T1005 · Data from Local System T1007 · System Service Discovery

All other tracked techniques

T1021 · Remote Services T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1021.004 · SSH T1027.010 · Command Obfuscation T1033 · System Owner/User Discovery T1036.004 · Masquerade Task or Service T1036.005 · Match Legitimate Resource Name or Location T1047 · Windows Management Instrumentation T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.004 · Unix Shell T1070.003 · Clear Command History T1070.004 · File Deletion T1078.002 · Domain Accounts T1082 · System Information Discovery T1087 · Account Discovery T1105 · Ingress Tool Transfer T1112 · Modify Registry T1218.011 · Rundll32 T1518.001 · Security Software Discovery T1543.003 · Windows Service T1550.002 · Pass the Hash T1560.001 · Archive via Utility T1574.001 · DLL T1574.006 · Dynamic Linker Hijacking T1588.001 · Malware T1588.002 · Tool T1595.002 · Vulnerability Scanning T1654 · Log Enumeration T1685 · Disable or Modify Tools T1685.005 · Clear Windows Event Logs

Detection use cases (14)

Aquatic Panda Log4Shell exploitation of VMware Horizon Tomcat spawning recon LOLBins AI · profile SΣ Aquatic Panda LSASS MiniDump via rundll32 + comsvcs.dll AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host MITRE match Crypto-wallet file/keystore access by non-wallet process MITRE match