Threat Actor Profile
Vertigo Panda
Vertigo Panda is a China-nexus advanced persistent threat (APT) group that spun up around mid-2020. Though a separate crew, they operate adjacent to the notorious Mustang Panda. These actors are all about espionage, primarily targeting government, defense, and even religious organizations across Europe and other parts of the world.
Threat Actor Profile
Vertigo Panda
Country of Origin
Vertigo Panda is a China-nexus adversary, meaning its operations are linked to and likely sponsored by the People's Republic of China.
Members
The exact size and member aliases of the group are not publicly known. Operations suggest a well-organized team with distinct roles for malware development, phishing campaigns, and data exfiltration.
Leadership
The specific leaders or individual identities within Vertigo Panda remain unknown. Like most state-sponsored groups, their command structure is kept under tight wraps.
Vertigo Panda TTPs
Tactics
The main goal for Vertigo Panda is straight-up espionage. They’re not after a quick payday; they want sensitive information. Their operations focus on long-term intelligence gathering from high-value targets. This includes stealing state secrets, military plans, intellectual property, and internal communications from government and defense entities that align with China's strategic interests.
Techniques
To get what they want, Vertigo Panda relies heavily on social engineering and spear phishing. They craft convincing emails, often using lures related to geopolitical events or topics relevant to their targets. Once they get a foothold, they use living-off-the-land binaries (LOLBins) and legitimate tools like PowerShell to stay hidden and move laterally through a network. They are also known for exploiting vulnerabilities to gain initial access.
Procedures
Vertigo Panda's playbook often starts with a phishing email carrying a malicious attachment. They’ve used custom backdoors like Hannot and PlugX (a tool they share with other Chinese APTs). Their malware often uses DLL side-loading to evade detection. They set up command-and-control (C2) infrastructure to exfiltrate stolen data and maintain persistence within the compromised environment.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
While specific, publicly attributed breaches are hard to pin down, Vertigo Panda has been linked to numerous espionage campaigns since 2020. Their operations are often identified through the discovery of their unique malware and infrastructure. They have been observed targeting European diplomatic entities and organizations involved in international relations. One consistent theme is their use of current events as lures, tricking victims into opening documents that deploy their malware payloads.
Law Enforcement & Arrests
So far, there have been no public announcements of arrests or specific law enforcement operations targeting Vertigo Panda directly. State-sponsored threat actors operating from nations like China are notoriously difficult to prosecute. Instead of arrests, actions against groups like Vertigo Panda typically involve public attribution, sanctions, and threat intelligence sharing among allied nations to disrupt their campaigns.
How to Defend Against Vertigo Panda
Train Your Team: Since phishing is their go-to move, security awareness training is non-negotiable. Teach your people how to spot and report suspicious emails.
Patch Everything: These actors love to exploit known vulnerabilities. Keep your systems, software, and applications updated to close those doors.
Monitor Endpoints: You need to see what’s happening on your devices. This is where Huntress comes in. Our Managed EDR provides 24/7 monitoring by human threat hunters who can spot the sneaky "living-off-the-land" techniques that Vertigo Panda uses. We don't just rely on automated alerts; our team analyzes suspicious activity to stop threats before they escalate.
Control Application Access: Use application allowlisting to prevent unauthorized executables and scripts from running. This can stop their custom malware in its tracks.
Secure Your Email: Implement an email security solution to filter out malicious attachments and links before they ever reach an inbox.
Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Vertigo Panda threats with enterprise-grade technology.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
