Skip to content

Hide Navigation Hide TOC

APT2 (0ca45163-e223-4167-b1af-f088ed14a93d)

Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'

Cluster A Galaxy A Cluster B Galaxy B Level
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set APT2 (0ca45163-e223-4167-b1af-f088ed14a93d) Threat Actor 1
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set pngdowner - S0067 (800bdfba-6d66-480f-9f45-15845c05cb5d) Malware 2
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set 3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware 2
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set 4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware 2
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Putter Panda - G0024 (5ce5392a-3a6c-4e07-9df3-9b6a9159ac45) Intrusion Set httpclient - S0068 (e8268361-a599-4e45-bd3f-71c8c7e700c0) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern pngdowner - S0067 (800bdfba-6d66-480f-9f45-15845c05cb5d) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern pngdowner - S0067 (800bdfba-6d66-480f-9f45-15845c05cb5d) Malware 3
pngdowner - S0067 (800bdfba-6d66-480f-9f45-15845c05cb5d) Malware pngdowner (fb4313ea-1fb6-4766-8b5c-b41fd347e4c5) Malpedia 3
pngdowner - S0067 (800bdfba-6d66-480f-9f45-15845c05cb5d) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware 3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware 3
3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware 3PARA RAT (59fb0222-0e7d-4f5f-92ac-e68012fb927d) RAT 3
3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3PARA RAT - S0066 (7bec698a-7e20-4fd3-bb6a-12787770fb1a) Malware 3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 3
4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware 3
4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
4H RAT - S0065 (8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc) Malware 4H RAT (d8aad68d-a68f-42e1-b755-d5f383b73401) RAT 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern httpclient - S0068 (e8268361-a599-4e45-bd3f-71c8c7e700c0) Malware 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern httpclient - S0068 (e8268361-a599-4e45-bd3f-71c8c7e700c0) Malware 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern httpclient - S0068 (e8268361-a599-4e45-bd3f-71c8c7e700c0) Malware 3
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4