Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

The APT Files #2: Putter Panda

Daniel Iwugo
InfoSec Write-ups
Published in
3 min readJan 26, 2024

--

A Panda playing golf ¦ Credit: Author using Stable Diffusion

To Non-members of Medium, use this link.

Quick Details

Suspected Origin: China, 2007

Other Names: APT2, PLA 61486, Putter Panda, MSUpdater, G0023

Target Region(s): North America, Europe

Attack Vectors: Spear-phishing, Malware, Social Engineering

Tools observed: MOOSE, WARP

Hacker Words

  • OSINT — Open Source Intelligence, using publicly available sources to gather sensitive/critical information about someone
  • C2 Servers — Command and Control Servers, computers used to control malware remotely

Putter Panda is a threat group suspected to be under the military cover of Unit 61486 of the Chinese People’s Liberation Army (PLA). The origin of the group’s name is from its knack for targeting golf players (putter) and its origin (China).

According to the Council on Foreign Relations, the group is known to target tech, research, defence and government sectors, particularly in satellite and aerospace sectors of the United States.

Their primary focus is on targeting widely used productivity applications like Adobe Reader and Microsoft Office. They carry out their malicious activities by utilizing customized malware, which they distribute through targeted email attacks.

On June 9, 2014, Crowdstrike released a report exposing the operations of the group. The centrepiece of the report was a suspected hacker with the alias ‘cpyy’. Using Open Source Intelligence (OSINT), Crowdstrike were able to link the hacker to many operations carried out by the threat group, along with links to Comment Panda and Vixen Panda, two other threat groups.

The report noted that a domain name used for C2 communication with known malware was registered to an email. The registrant address when checked on Google maps revealed an area of Shanghai which just happens to be where the PLA’s building is located.

Furthermore, a Chinese government website provided information about theatrical performances featuring PLA members, specifically the Unit 61486’s staff and link and address to the same aforementioned email registrar.

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 1 day ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Daniel Iwugo
Daniel Iwugo
Follow

Written by Daniel Iwugo

183 Followers
40 Following

Just another guy fascinated by the world of Hacking, Cybersecurity and the Internet

Follow

No responses yet

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech