Adversary

Wicked Panda

ORIGIN

China

Community Identifiers

Winnti, Group 72, BARIUM, LEAD, GREF, APT41, TG-2633, BRONZE ATLAS

Wicked Panda has been one the most prolific and effective China-based adversaries from the mid 2010s into the 2020s.

They have consistently expanded their target scope as well as their toolsuite while shifting from criminally focused operations to state-sponsored targeted intrusions that often align with Chinese Communist Party (CCP) objectives outlined in the 13th Five Year and the Made in China 2025 initiative. CrowdStrike Intelligence assesses Wicked Panda consists of a superset of groups involving several contractors working in the interests of the Chinese state while still carrying out criminal, for-profit activities, likely with some form of tacit approval from CCP officials.

A commonality among these Wicked Panda groups is the use of the Winnti malware. Winnti has gone through many iterations since its appearance in 2010 and is likely still under development. They have also used the low prevalence ShadowPad backdoor which has been associated with software supply-chain attacks. Wicked Panda operators also use other custom loaders and malware such as CooperLoader, AttachLoader, RouterGod, and Proxip in conjunction with publicly available malware and post-exploitation tools such as Cobalt Strike and Mimikatz.

Targeted Nations

  • Flag Icon of the country Germany

    Germany

  • Flag Icon of the country Hong Kong

    Hong Kong

  • Flag Icon of the country India

    India

  • Flag Icon of the country Japan

    Japan

  • Flag Icon of the country South Korea

    South Korea

  • Flag Icon of the country Taiwan

    Taiwan

  • Flag Icon of the country United States

    United States

Target Industries

  • Agriculture
  • Chemicals
  • Extractive
  • Hospitality
  • Industrials and Engineering
  • Think Tanks
  • Academic
  • Technology

Artwork

Adversary: Wicked Panda - Threat Actor

Crowdstrike Wicked Panda

I have read and accept the terms and conditions

Download

Explore Next Adversary

Wizard Spider

All Adversaries 17

Explore Next Adversary

Terms and conditions

In order to download the adversary artwork, we kindly request you to accept our terms and conditions displayed below.

This image (“artwork”), is the intellectual property of CrowdStrike, Inc. and its affiliates and licensors (collectively, “us” or “we”) and may include other marks, trademarks, copyrighted materials, and other intellectual property (“assets”) that belong t o us, including, without limitation, CrowdStrike, the CrowdStrike logo, and CrowdStrike Falcon. We retain all right, title and interest in and to the artwork and all assets included therein. This artwork is offered to you as a convenience for your lawful a nd non-commercial use, solely as authorized by us, and subject to your compliance with these terms and conditions (“terms”) and any other guidelines or specifications that we may provide from time to time. We reserve the right to change these terms at any time without prior notice.

You should periodically check the latest information posted herein to be sure that you are in compliance. By downloading the artwork, you attest that you are at least 18 years of age and agree to the following terms, which const itute the sole and entire agreement between you and us with respect to the artwork. We reserve all rights not expressly granted to you herein. You may not use or display the artwork in any way: (i) that violates the rights of any person or entity or that may give rise to civil or criminal liability under laws or regulations applicable to you, another user, and/or CrowdStrike; (ii) that is defamatory, obscene, indecent, abusive, harassing, violent, hateful, inflammatory or otherwise objectionable; (iii) tha t is false, deceptive, misleading or fraudulent, including but not limited to: (a) any attempt to impersonate any person or entity, including any other user, CrowdStrike or a CrowdStrike employee; (b) any attempt to misrepresent your identity or affiliation with any person or organization; or (iv) for the purposes of recruiting, advertising, solicitation or commercial activities of any kind without our express written consent.

THE ARTWORK IS PROVIDED TO YOU BY CROWDSTRIKE ON AN “AS IS” AND “AS AVAILABLE” BA SIS, WITHOUT ANY WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. EXCEPT TO THE EXTENT THAT A DISCLAIMER OF LIABILITY IS PROHIBITED UNDER APPLICABLE LAW, IN NO EVENT WILL CROWDSTRIKE, ITS AFFILIATES AND ITS LICENSORS, EMPLOYEES, AGENTS, OFFICERS AND DIRE CTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE ARTWORK.