Threat Actor Profile
Ethereal Panda
Ethereal Panda is a Chinese-aligned advanced persistent threat (APT) group, also referred to by aliases such as Flax Typhoon, RedJuliett, Storm-0919, and UNC5007. First observed publicly around mid-2021, this nation-state actor is known for its focus on espionage and intelligence gathering. Ethereal Panda employs a stealthy approach, leveraging legitimate tools and living-off-the-land methods to infiltrate targets across academia, government, technology, and telecommunications.
Threat Actor Profile
Ethereal Panda
Country of Origin
Ethereal Panda is attributed to China, with their tactics and objectives consistently aligning with nation-state goals typical of Chinese APT groups.
Members
The exact size and composition of Ethereal Panda’s team are unknown. However, their operations indicate a well-coordinated and technically proficient group capable of executing complex, regionally targeted campaigns.
Leadership
Specific leadership details regarding Ethereal Panda remain unknown. The group operates under several aliases and exhibits behaviors suggesting centralized coordination often associated with state-sponsored cyber operations.
Ethereal Panda TTPs
Tactics
Ethereal Panda’s primary goals revolve around cyber espionage, intelligence-gathering, and the acquisition of sensitive information from targeted sectors. Their campaigns frequently focus on impactful geopolitical areas and institutions of strategic importance.
Techniques
The group relies heavily on exploiting vulnerabilities in public-facing servers, utilizing web shells like China Chopper and persistent tools like SoftEther VPN to maintain access. They also employ credential-dumping tools such as Mimikatz and utilize living-off-the-land binaries to avoid detection.
Procedures
Ethereal Panda uses minimal custom malware in the initial stages of an attack, opting instead for manual operator activity. They establish persistence using VPNs, web shells, and RDP tools, infiltrate networks by exploiting unpatched vulnerabilities, and maintain stealth with legitimate software and built-in tools.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Taiwan Campaign (2023)
Ethereal Panda targeted dozens of Taiwanese organizations using legitimate software and built-in tools to access networks, relying on minimal malware to evade detection.
Monlam Festival / Tibet-Related Campaign (2023)
The group exploited a Tibetan religious festival organizer’s website, employing a watering-hole attack to insert malicious code and compromise translation software installers, delivering backdoors and downloaders such as MgBot.
Law Enforcement & Arrests
No known law enforcement actions have been publicly reported against Ethereal Panda. Their operations remain active and evasive.
How to Defend Against Ethereal Panda
Reduce Public-Facing Attack Surface: Regularly patch vulnerabilities in servers, deploy web application firewalls (WAFs), and disable unnecessary services.
Enhance Credential Protection: Monitor for suspicious tool usage, implement multifactor authentication (MFA), and enforce strong password policies.
Strengthen Remote Access Security: Control VPN usage, monitor remote desktop protocol (RDP) activities, and apply least privilege principles.
Maintain Software Update Integrity: Validate code signing, monitor update mechanisms, and establish baselines for legitimate software versions.
Detect Web Shells and Suspicious Activity: Use file integrity monitoring and analyze web server logs for anomalies.
Huntress tools offer proactive threat detection and endpoint protection to help organizations monitor and mitigate threats from groups like Ethereal Panda.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
