ETDA ThaiCERT
Report
Search
Home > List all groups > ShaggyPanther

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: ShaggyPanther

NamesShaggyPanther (Kaspersky)
CountryChina China
MotivationInformation theft and espionage
First seen2018
Description(Kaspersky) We first discussed ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia, in a private report in January 2018. Related activities date back to more than a decade ago, with similar code maintaining compilation timestamps from 2004. Since then, ShaggyPanther activity has been detected in several more locations: most recently in Indonesia in July, and – somewhat surprisingly – in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChopper/ChinaChopper, a commonly used web shell shared by multiple Chinese-speaking actors. SinoChopper not only performs host identification and backdoor delivery but also email archive theft and additional activity. Although not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019, we observed ShaggyPanther targeting Windows servers.
ObservedSectors: Government.
Countries: Indonesia, Malaysia, Syria, Taiwan.
Tools usedChina Chopper.
Information<https://securelist.com/ksb-2019-review-of-the-year/95394/>

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: Shadow Network
Next: SideWinder, Rattlesnake

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key