ETDA ThaiCERT
Report
Search
Home > List all groups > PittyTiger, Pitty Panda

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: PittyTiger, Pitty Panda

NamesPittyTiger (FireEye)
Pitty Panda (CrowdStrike)
Manganese (Microsoft)
CountryChina China
MotivationInformation theft and espionage
First seen2011
Description(Airbus) Pitty Tiger is a group of attackers that have been active since at least 2011. They have targeted private companies in several sectors, such as defense and telecommunications, but also at least one government.

We have been able to track down this group of attackers and can provide detailed information about them. We were able to collect and reveal their “malware arsenal”. We also analyzed their technical organization.

Our investigations indicate that Pitty Tiger has not used any 0day vulnerability so far, rather they prefer using custom malware, developed for the group’s exclusive usage. Our discoveries indicate that Pitty Tiger is a group of attackers with the ability to stay under the radar, yet still not as mature as other groups of attackers we monitor.

Pitty Tiger is probably not a state-sponsored group of attackers. They lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.

We have been able to leverage several attackers profiles, showing that the Pitty Tiger group is fairly small compared to other APT groups, which is probably why we saw them work on a very limited amount of targets.

There is some overlap with APT 5, Keyhole Panda.
ObservedSectors: Defense, Government, Telecommunications and Web development.
Countries: Taiwan and Europe.
Tools usedEnfal, Gh0st RAT, gsecdump, Leo RAT, Mimikatz, Paladin RAT, pgift, Pitty, Poison Ivy.
Operations performed2011Operation “The Eye of the Tiger”
<https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf>
Jun 2014We discovered this malware sample in June 2014, leading to a command & control (c&c) server still in activity.
Our researches around the malware family revealed the “Pitty Tiger” group has been active since 2011, yet we found traces which makes us believe the group is active since 2010.
<http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2>
Jul 2014During the last month, McAfee Labs researchers have uncovered targeted attacks carried out via spear phishing email against a French company. We have seen email sent to a large group of individuals in the organization.
<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/>
2014In a recent attack against a French company, the attackers sent simple, straightforward messages in English and French from free email addresses using names of actual employees of the targeted company.
<https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html>
MITRE ATT&CK<https://attack.mitre.org/groups/G0011/>

Last change to this card: 22 April 2020

Download this actor card in PDF or JSON format

Previous: Patchwork, Dropping Elephant
Next: PKPLUG

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key