Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Deep Panda

🇨🇳Deep Panda

🇨🇳 Deep Panda is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 10 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0009) ↗
14Use cases
0Articles
10Techniques
0IOCs

About this actor (MITRE)

[Deep Panda](https://attack.mitre.org/groups/G0009) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to [Deep Panda](https://attack.mitre.org/groups/G0009). (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) [Deep Panda](https://attack.mitre.org/groups/G0009) also appears to be known as Black Vine based on the attribution of

Known aliases

Deep PandaShell CrewWebMastersKungFu KittensPinkPantherBlack Vine

Top techniques

T1018 · Remote System DiscoveryT1021.002 · SMB/Windows Admin SharesT1027.005 · Indicator Removal from Tools

All other tracked techniques

T1047 · Windows Management InstrumentationT1057 · Process DiscoveryT1059.001 · PowerShellT1218.010 · Regsvr32T1505.003 · Web ShellT1546.008 · Accessibility FeaturesT1564.003 · Hidden Window

Detection use cases (14)

Deep Panda (Shell Crew) regsvr32 'Squiblydoo' COM scriptlet execution AI · profile SΣ Deep Panda China Chopper IIS web shell -> wmiprvse-spawned WMIC lateral discovery AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Web-Server Process Post-Exploit Anchor: Plugin/Extension RCE Leading to Shell Spawn or Webroot Script Drop MITRE match Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) MITRE match Office app spawning script/LOLBin child process MITRE match Phishing-link click correlated to endpoint execution MITRE match PowerShell encoded / obfuscated command MITRE match