Cyber Threat Actor: APT23
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
1 incident |
|---|
Profile
APT23, also known asPirate Panda, is a threat actor group that has been publicly linked to China. The group operates under the aliases APT23 and Pirate Panda and is described as being backed by the Chinese state. Its known activity focuses on government and political organisations, particularly those involved in territorial disputes in the South China Sea. Public reporting notes that Pirate Panda has historically pursued issues surrounding those maritime conflicts. The actor’s objectives are characterized by attempts to obtain sensitive information from its targets. Initial access is commonly achieved through spear phishing emails that contain malicious Excel documents disguised as legitimate schedules or office files. When the attachment is opened, the attack employs DLL side‑loading by dropping a legitimate Windows Defender executable (utilman.exe, which is MsMpeng.exe) alongside a malicious DLL (mpsvc.dll) in the user’s AppData folder. A shortcut to the legitimate executable is placed in the startup folder so that the malicious DLL is loaded on each system reboot, establishing persistence. The malicious DLL makes DNS queries to Google’s public resolvers before contacting a command‑and‑control server hosted on a newly registered domain, such as skypechatvideo[.]online. Communication with the C2 occurs over HTTP GET requests on a non‑standard port, and the DLL shares code similarities with the exile‑RAT and KeyBoy remote access tools that Pirate Panda has previously used. These technical details indicate a tooling style that blends trusted system binaries with custom malware to evade detection.
A representative operation occurred on April 27, 2020, when Pirate Panda targeted government employees in Da Nang, Vietnam, with a spear phishing lure referencing local holiday schedules. The email appeared to originate from an internal government account, suggesting prior compromise, and the attached Excel file dropped the DLL side‑loading payload described above. The attack infrastructure included a freshly registered domain that served as the C2 host, and the malware exhibited genetic links to exile‑RAT, a tool associated with the group. Because Da Nang lies opposite the Paracel Islands, an area of ongoing territorial dispute, the targeting aligns with the group’s historic focus on South China Sea issues. If successful, intrusion into a government‑run data center would provide the actor with access to large volumes of sensitive information, consistent with its observed objectives. This pattern of activity illustrates how Pirate Panda combines social engineering, legitimate‑binary abuse, and custom remote access tools to pursue its intelligence‑gathering goals.
