Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0009: Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]

EnterpriseG0009GroupObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Deep Panda is an ATT&CK intrusion set associated in public reporting with targeting across government, defense, financial, telecommunications, and healthcare contexts. The practical value for leaders is not the name alone, but the behavior cluster: use of Windows administration utilities, discovery activity, SMB-based lateral movement, WMI/PowerShell execution, web shells, persistence mechanisms, and malware/backdoors referenced by ATT&CK relationships. These behaviors matter because they map to long-dwell intrusions where identity misuse, endpoint visibility, server exposure, and incident response readiness determine how quickly an organization can contain spread and preserve evidence.

Executive priority

Treat this object as a planning reference for espionage-style intrusion readiness rather than proof of current targeting. Security leaders should ask whether high-value environments have defensible coverage for lateral movement, administrative-tool abuse, web server persistence, and credential-enabled access over SMB. For audit and risk discussions, the priority is demonstrating that SOC monitoring, endpoint logging, web server integrity review, and privileged access controls can detect or constrain the techniques ATT&CK associates with this group.

Technical view

ATT&CK provides no group-level detection text or platforms, so defenders should validate coverage through the related software and techniques. The strongest relationship-driven focus is Windows-heavy activity: Net, Tasklist, WMI, PowerShell, Regsvr32, SMB/Windows Admin Shares, Accessibility Features, Hidden Window, Sakula, Mivast, and StreamEx. Derusbi has Windows and Linux variants, and web shell persistence may affect Windows, Linux, macOS, and network-device-hosted web services. SOC and IR teams should test whether they can reconstruct remote discovery, process enumeration, administrative share access, remote execution, suspicious script execution, web shell placement/use, and persistence changes without relying only on malware signatures.

Likely telemetry

  • Endpoint process creation with command line arguments for net, tasklist, ping, PowerShell, WMI-related processes, and regsvr32.exe
  • Windows authentication and logon events, especially remote logons and privileged account use
  • SMB/admin share access logs and file write activity to remote systems
  • PowerShell script block/module logging where enabled
  • WMI operational logs and remote management activity

Detection direction

  • Do not build detections only around the Deep Panda name or aliases; prioritize the ATT&CK-linked behaviors and software relationships.
  • Tune for suspicious use of legitimate administration utilities in unusual user, host, time, or remote-access contexts; these tools have high administrative false-positive potential.
  • Correlate discovery commands with later SMB access, WMI execution, PowerShell execution, or web server changes to reduce noise and improve incident confidence.
  • Validate that web shell monitoring covers internet-facing and internally accessible web servers, including script creation in web-accessible directories and abnormal command execution from web service accounts.
  • Review whether allowlisting or trust in Microsoft-signed binaries creates blind spots for regsvr32.exe, PowerShell, and WMI abuse.

Mitigation priorities

  • Prioritize privileged access hygiene and least privilege for accounts that can use SMB, WMI, PowerShell remoting, and administrative shares.
  • Harden and monitor Windows administrative tooling rather than attempting to block all legitimate utilities outright.
  • Reduce lateral movement paths by limiting administrative shares, segmenting high-value systems, and enforcing strong authentication controls for remote administration.
  • Apply web server hardening, patching, file integrity monitoring, and restricted write permissions to reduce web shell persistence opportunities.
  • Enable and retain endpoint, PowerShell, WMI, authentication, SMB, and web server logs at levels sufficient for incident reconstruction.
Analyst notes and limits

Deep Panda has multiple aliases in ATT&CK, including Shell Crew, WebMasters, KungFu Kittens, PinkPanther, and Black Vine. ATT&CK notes uncertainty in open-source reporting about whether Deep Panda and APT19 are the same group, so analysis should avoid over-merging identities without independent evidence. The Anthem intrusion is cited in the official description, but this take does not infer current targeting or exposure for any organization.

The group object does not specify platforms, tactics, or official detection guidance. Platform and technique discussion is derived from the supplied ATT&CK relationships, not from a group-level platform declaration. Local asset inventory, identity architecture, exposed web services, logging configuration, and business-critical system mapping are required to turn this into a defensible control assessment.

Official MITRE ATT&CK definition

Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Enterprise T1057 Process Discovery

Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.CitationAlperovitch 2014
Enterprise T1018 Remote System Discovery

Deep Panda has used ping to identify other machines of interest.CitationAlperovitch 2014
Enterprise T1505.003 Web Shell Sub-technique

Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.CitationCrowdStrike Deep Panda Web Shells
Enterprise T1027.005 Indicator Removal from Tools Sub-technique

Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.CitationSymantec Black Vine
Enterprise T1218.010 Regsvr32 Sub-technique

Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.CitationRSA Shell Crew
Enterprise T1564.003 Hidden Window Sub-technique

Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. CitationAlperovitch 2014
Enterprise T1059.001 PowerShell Sub-technique

Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.CitationAlperovitch 2014
Enterprise T1546.008 Accessibility Features Sub-technique

Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.CitationRSA Shell Crew
Enterprise T1047 Windows Management Instrumentation

The Deep Panda group is known to utilize WMI for lateral movement.CitationAlperovitch 2014
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.CitationAlperovitch 2014
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0097: Ping

Ping is an operating system utility commonly used to troubleshoot and verify network connections. [1]

Tool Enterprise

S0039: Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Windows
Malware Enterprise

S0074: Sakula

Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. [1]

Windows
Tool Enterprise

S0057: Tasklist

The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1057: Process Discovery Enterprise uses · Malware S0080: Mivast Enterprise uses · Technique T1018: Remote System Discovery Enterprise uses · Tool S0097: Ping Enterprise uses · Tool S0039: Net Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Technique T1027.005: Indicator Removal from Tools Enterprise uses · Technique T1218.010: Regsvr32 Enterprise uses · Malware S0142: StreamEx Enterprise uses · Technique T1564.003: Hidden Window Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Malware S0074: Sakula Enterprise uses · Tool S0057: Tasklist Enterprise uses · Technique T1546.008: Accessibility Features Enterprise uses · Malware S0021: Derusbi Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1021.002: SMB/Windows Admin Shares Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
85f7871f6ad8ff5a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 85f7871f6ad8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Alperovitch 2014

    Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.

    Open source URL
  2. [2]
    ThreatConnect Anthem

    ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.

    Open source URL
  3. [3]
    RSA Shell Crew

    RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.

    Open source URL
  4. [4]
    Symantec Black Vine

    DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.

    Open source URL
  5. [5]
    ICIT China's Espionage Jul 2016

    Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.

    Open source URL
  6. [6]
    Black Vine

    (Citation: Symantec Black Vine)

  7. [7]
    Deep Panda

    (Citation: Alperovitch 2014)

  8. [8]
    KungFu Kittens

    (Citation: RSA Shell Crew)

  9. [9]
    PinkPanther

    (Citation: RSA Shell Crew)

  10. [10]
    Shell Crew

    (Citation: RSA Shell Crew)

  11. [11]
    WebMasters

    (Citation: RSA Shell Crew)

  12. [12]
    mitre-attack G0009
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use