G0143: Aquatic Panda
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]
Analyst context for executives and security teams
Aquatic Panda matters because ATT&CK describes it as a suspected China-based group focused on intelligence collection and industrial espionage, primarily against telecommunications, technology, and government entities. For leaders, the practical issue is not the name of the group alone; it is whether the organization can detect and investigate hands-on intrusion behavior involving credential access, remote services, command execution, stealth, and local data collection across Windows and Unix-like environments referenced by the related techniques and tools.
Executive priority
Prioritize this as a resilience and sensitive-data protection use case if your organization operates in or supports telecommunications, technology, government, or similarly high-value environments. Executives should ask whether SOC, identity, endpoint, and incident response teams can prove coverage for credential theft from LSASS, domain account abuse, RDP/SMB/SSH lateral movement, PowerShell/cmd/Unix shell execution, WMI activity, log or history clearing, file deletion, and use of remote access tooling such as Cobalt Strike, Winnti variants, ShadowPad, and njRAT where relevant. The decision value is in validating evidence quality and response readiness, not assuming attribution from a single alert.
Technical view
ATT&CK provides no group-level detection text or explicit platforms for Aquatic Panda, so defenders should build validation around the related software and techniques. Coverage should be tested for Windows behaviors including LSASS access, PowerShell, Windows Command Shell, WMI, RDP, SMB/admin shares, Windows services/tasks, Wevtutil, and Windows RAT/backdoor tooling. Linux, macOS, ESXi, network device, and IaaS-relevant coverage should be reviewed where related techniques include SSH, Unix shell, command history clearing, file deletion, local data collection, and remote services. Detection engineering should emphasize behavior chains: valid account use followed by discovery, remote execution, credential access, data staging or collection, and cleanup/stealth actions.
Likely telemetry
- Endpoint process creation and command-line telemetry from Windows, Linux, macOS, and ESXi where in scope
- PowerShell logging, Windows Command Shell activity, and WMI execution records
- Windows Security, RDP, SMB/admin share, service creation, scheduled task, and authentication logs
- LSASS access signals, credential-dumping prevention or EDR events, and privileged process access telemetry
- SSH authentication logs, shell history artifacts, Unix process execution, and file deletion events
Detection direction
- Do not rely on group-name matching; validate detections against the ATT&CK-related behaviors and tools instead.
- Correlate valid domain account use with unusual RDP, SMB, SSH, WMI, PowerShell, cmd, or Unix shell execution, especially across administrative boundaries.
- Tune for false positives from legitimate administration by baselining admin tools, service management, WMI, PowerShell, SSH, and Wevtutil usage by role, host, and time window.
- Review blind spots in command-line capture, PowerShell visibility, Linux/ESXi shell logging, Windows event retention, and endpoint coverage on servers and administrative workstations.
- Treat cleanup behaviors such as command history clearing, file deletion, and log utility use as context-rich signals when paired with remote access, discovery, credential access, or data collection.
Mitigation priorities
- First, harden identity controls around domain accounts, administrative privileges, and remote service access because multiple related techniques depend on valid account abuse and lateral movement.
- Second, restrict and monitor RDP, SMB/admin shares, SSH, WMI, PowerShell, Windows Command Shell, and Unix shell use according to operational need.
- Third, protect credential material by reducing unnecessary administrative rights and validating controls that limit or detect LSASS access.
- Fourth, improve endpoint and server logging retention so cleanup attempts such as file deletion, command history clearing, or event log utility use do not erase the only evidence needed for response.
- Fifth, maintain incident response playbooks that connect credential access, lateral movement, execution, collection, and stealth behaviors into one investigation path rather than isolated alerts.
Analyst notes and limits
The supplied ATT&CK object identifies Aquatic Panda as a suspected China-based group active since at least May 2020 with a reported focus on intelligence collection and industrial espionage, primarily affecting telecommunications, technology, and government sectors. The relationship context is broad and includes several remote access tools and many techniques spanning execution, credential access, discovery, lateral movement, collection, and stealth. Use this as a threat-informed validation profile rather than a standalone attribution rule.
ATT&CK provides no official detection guidance, no group-level tactics, and no group-level platforms for this object. Platform references in this take come from related software and technique records, not from the group object itself. Local exposure depends on the organization’s sector, architecture, identity model, remote access patterns, and available telemetry. The supplied material does not support claims of current active exploitation or confirmed targeting of any specific organization.
Aquatic Panda
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Aquatic Panda has encoded PowerShell commands in Base64.CitationCrowdStrike AQUATIC PANDA December 2021 |
| Enterprise | T1087 | Account Discovery | Aquatic Panda used the |
| Enterprise | T1070.004 | File Deletion Sub-technique | Aquatic Panda has deleted malicious executables from compromised machines.CitationCrowdStrike AQUATIC PANDA December 2021CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Aquatic Panda used malicious shell scripts in Linux environments following access via SSH to install Linux versions of Winnti malware.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Aquatic Panda used remote shares to enable lateral movement in victim environments.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Aquatic Panda created new, malicious services using names such as |
| Enterprise | T1574.006 | Dynamic Linker Hijacking Sub-technique | Aquatic Panda modified the |
| Enterprise | T1070.003 | Clear Command History Sub-technique | Aquatic Panda cleared command history in Linux environments to remove traces of activity after operations.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Aquatic Panda created new Windows services for persistence that masqueraded as legitimate Windows services via name change.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | Aquatic Panda used a registry edit to enable a Windows feature called |
| Enterprise | T1574.001 | DLL Sub-technique | Aquatic Panda has used DLL search-order hijacking to load `exe`, `dll`, and `dat` files into memory.CitationCrowdStrike AQUATIC PANDA December 2021 Aquatic Panda loaded a malicious DLL into the legitimate Windows Security Health Service executable ( |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Aquatic Panda leveraged stolen credentials to move laterally via RDP in victim environments.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1005 | Data from Local System | Aquatic Panda captured local Windows security event log data from victim machines using the |
| Enterprise | T1105 | Ingress Tool Transfer | Aquatic Panda has downloaded additional malware onto compromised hosts.CitationCrowdStrike AQUATIC PANDA December 2021 |
| Enterprise | T1007 | System Service Discovery | Aquatic Panda has attempted to discover services for third party EDR products.CitationCrowdStrike AQUATIC PANDA December 2021 |
| Enterprise | T1654 | Log Enumeration | Aquatic Panda enumerated logs related to authentication in Linux environments prior to deleting selective entries for defense evasion purposes.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1021.004 | SSH Sub-technique | Aquatic Panda used SSH with captured user credentials to move laterally in victim environments.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1112 | Modify Registry | Aquatic Panda modified the victim registry to enable the `RestrictedAdmin` mode feature, allowing for pass the hash behaviors to function via RDP.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1588.001 | Malware Sub-technique | Aquatic Panda has acquired and used njRAT in its operations.CitationCrowdStrike AQUATIC PANDA December 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.CitationCrowdStrike AQUATIC PANDA December 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to |
| Enterprise | T1685 | Disable or Modify Tools | Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.CitationCrowdStrike AQUATIC PANDA December 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Aquatic Panda gathers information on recently logged-in users on victim devices.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | Aquatic Panda used WMI for lateral movement in victim environments.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | Aquatic Panda has acquired and used Cobalt Strike in its operations.CitationCrowdStrike AQUATIC PANDA December 2021 |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).CitationCrowdStrike AQUATIC PANDA December 2021 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.CitationCrowdStrike AQUATIC PANDA December 2021 |
| Enterprise | T1021 | Remote Services | Aquatic Panda used remote scheduled tasks to install malicious software on victim systems during lateral movement actions.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1082 | System Information Discovery | Aquatic Panda has used native OS commands to understand privilege levels and system details.CitationCrowdStrike AQUATIC PANDA December 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Aquatic Panda used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Aquatic Panda clears Windows Event Logs following activity to evade defenses.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Aquatic Panda used multiple mechanisms to capture valid user accounts for victim domains to enable lateral movement and access to additional hosts in victim environments.CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Aquatic Panda has used several publicly available tools, including WinRAR and 7zip, to compress collected files and memory dumps prior to exfiltration.CitationCrowdStrike AQUATIC PANDA December 2021CitationCrowdstrike HuntReport 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.CitationCrowdStrike AQUATIC PANDA December 2021 |
Groups, software, and campaigns
S0645: Wevtutil
S0141: Winnti for Windows
Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.[1][2][3][4]. The Linux variant is tracked separately under Winnti for Linux.[5]
S0385: njRAT
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0596: ShadowPad
S0430: Winnti for Linux
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 43364e36184d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CrowdStrike AQUATIC PANDA December 2021
Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
Open source URL -
[2]
mitre-attack G0143Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.