Stone Panda  (Back to overview)

aka: APT10, APT 10, MenuPass, Menupass Team, happyyongzi, POTASSIUM, DustStorm, Red Apollo, CVNX, HOGFISH, Cloud Hopper, Stone Panda


Associated Families
win.anel win.chches win.emdivi win.quasar_rat win.redleaves win.trochilus_rat win.plugx win.cobalt_strike

References
1 http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html
2 http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html
1 http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html
1 http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html
1 http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html
1 http://blog.macnica.net/blog/2017/12/post-8c22.html
1 http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
1 http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/
1 http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/
1 http://cyberforensicator.com/2018/12/23/dissecting-cozy-bears-malicious-lnk-file/
1 http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
1 http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments
1 http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/
1 https://401trg.com/burning-umbrella/
1 https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/
1 https://blog.cobaltstrike.com/
1 https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/
1 https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/
1 https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
1 https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
1 https://community.rsa.com/thread/185439
1 https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/
1 https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/
1 https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite
1 https://github.com/5loyd/trochilus/
1 https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
1 https://github.com/m0n0ph1/malware-1/tree/master/Trochilus
1 https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves
1 https://github.com/quasar/QuasarRAT/tree/master/Client
1 https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
1 https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A
1 https://pylos.co/2018/11/18/cozybear-in-from-the-cold/
1 https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/
1 https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
1 https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
1 https://securelist.com/new-activity-of-the-blue-termite-apt/71876/
1 https://securelist.com/time-of-death-connected-medicine/84315/
1 https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/
1 https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/
1 https://twitter.com/malwrhunterteam/status/789153556255342596
1 https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf
1 https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf
https://www.cfr.org/interactive/cyber-operations/apt-10
1 https://www.cobaltstrike.com/support
1 https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
1 https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html
1 https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
1 https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
1 https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html
1 https://www.jpcert.or.jp/magazine/acreport-ChChes.html
1 https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html
1 https://www.jpcert.or.jp/magazine/acreport-redleaves.html
1 https://www.lac.co.jp/lacwatch/people/20171218_001445.html
1 https://www.lac.co.jp/lacwatch/people/20180521_001638.html
https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf
1 https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/
5 https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
1 https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf
1 https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf
1 https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
1 https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
1 https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
1 https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/

Credits: MISP Project