Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0024: Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]

EnterpriseG0024GroupObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Putter Panda is an ATT&CK group entry with aliases APT2 and MSUpdater. The supplied ATT&CK context matters because the group is linked to multiple Windows malware families and techniques associated with persistence, stealth, privilege escalation, defense impairment, and encoded or encrypted files. For leaders, the value is not assuming exposure to this specific group; it is using the mapped behaviors to test whether endpoint visibility, malware triage, persistence review, and security-tool tamper monitoring are strong enough to support incident decisions.

Executive priority

Prioritize validation of foundational endpoint and SOC controls over group-specific assumptions. The relationship set points to RATs and lightweight downloader or secondary tools on Windows, plus techniques that can weaken detection or maintain access. Executives should ask whether the organization can prove it collects the evidence needed to identify suspicious startup persistence, DLL injection patterns, encoded artifacts, and security-tool modification events. These checks support operational resilience, incident response readiness, and audit evidence for endpoint monitoring and control effectiveness.

Technical view

ATT&CK does not provide group-level detection text or platforms for Putter Panda, so defenders should pivot from the relationships. Validate coverage for related software S0065 4H RAT, S0066 3PARA RAT, S0067 pngdowner, and S0068 httpclient, noting that the related software entries specify Windows. Technique-driven validation should include T1547.001 Registry Run Keys / Startup Folder, T1055.001 DLL Injection, T1027.013 Encrypted/Encoded File, and T1685 Disable or Modify Tools. SOC and IR teams should confirm they can correlate process execution, registry or startup-folder changes, module loading or cross-process activity, file content or metadata anomalies, and security-agent service/configuration changes.

Likely telemetry

  • Windows endpoint process creation and command-line metadata
  • Windows registry modification events for Run keys and related startup locations
  • Startup folder file creation or modification events
  • DLL/module load telemetry and cross-process memory or thread activity where available
  • File creation, download, and execution telemetry for suspicious binaries or encoded/encrypted artifacts

Detection direction

  • Do not rely on the group name alone; build detections around the mapped software and techniques because the official object has no group-level detection guidance.
  • Tune persistence analytics for unusual Run key and startup-folder entries, with allowlisting for approved enterprise software to reduce false positives.
  • Validate DLL injection visibility using endpoint telemetry that can show suspicious module loading, remote thread creation, or process memory manipulation, recognizing that not all environments collect this by default.
  • Review encoded or encrypted file detections as triage leads rather than standalone proof, since legitimate software also uses encoding and encryption.
  • Monitor for security-tool impairment, including stopped services, killed processes, modified configurations, disabled updates, and sensor health degradation.

Mitigation priorities

  • Confirm endpoint logging and EDR coverage first, especially on Windows systems relevant to the related malware entries.
  • Harden and monitor startup persistence locations, including Registry Run keys and startup folders, with change control for legitimate administrative software.
  • Protect security tooling from tampering through least privilege, service protection, configuration monitoring, and alerting on health degradation.
  • Strengthen malware prevention and response workflows for RATs and downloader-style tools, including quarantine, host isolation decision criteria, and forensic collection plans.
  • Use application control, controlled software installation, and privilege management where feasible to reduce unauthorized execution and persistence opportunities.
Analyst notes and limits

The official ATT&CK description attributes Putter Panda to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department and cites CrowdStrike reporting. The supplied relationships provide the practical defensive anchor: four related malware/software entries and four related techniques. Because tactics and platforms are not specified at the group-object level, platform statements should be derived only from the related software and technique records.

No official detection text is provided for the group object, and the group-level platforms and tactics are not specified. This take therefore focuses on the supplied relationships and should be validated against local asset inventory, telemetry availability, approved software baselines, and current threat intelligence before being used for prioritization or incident attribution.

Official MITRE ATT&CK definition

Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.CitationCrowdStrike Putter Panda
Enterprise T1685 Disable or Modify Tools

Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).CitationCrowdStrike Putter Panda
Enterprise T1055.001 Dynamic-link Library Injection Sub-technique

An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).CitationCrowdStrike Putter Panda
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.CitationCrowdStrike Putter Panda
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0067: pngdowner

pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. [1]

Windows
Relationship explorer

All related ATT&CK context

uses · Malware S0067: pngdowner Enterprise uses · Malware S0066: 3PARA RAT Enterprise uses · Malware S0065: 4H RAT Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1055.001: Dynamic-link Library Injection Enterprise uses · Malware S0068: httpclient Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
ac98c556c546c328...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle ac98c556c546…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    CrowdStrike Putter Panda

    Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.

    Open source URL
  2. [2]
    APT2

    (Citation: Cylance Putter Panda)

  3. [3]
    Cylance Putter Panda

    Gross, J. and Walter, J.. (2016, January 12). Puttering into the Future.... Retrieved November 17, 2024.

    Open source URL
  4. [4]
    MSUpdater

    (Citation: CrowdStrike Putter Panda)

  5. [5]
    Putter Panda

    (Citation: CrowdStrike Putter Panda) (Citation: Cylance Putter Panda)

  6. [6]
    mitre-attack G0024
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use