Winnti, Group 72, BARIUM, LEAD, GREF, APT41, TG-2633, BRONZE ATLAS
Wicked Panda has been one the most prolific and effective China-based adversaries from the mid 2010s into the 2020s.
They have consistently expanded their target scope as well as their toolsuite while shifting from criminally focused operations to state-sponsored targeted intrusions that often align with Chinese Communist Party (CCP) objectives outlined in the 13th Five Year and the Made in China 2025 initiative. CrowdStrike Intelligence assesses Wicked Panda consists of a superset of groups involving several contractors working in the interests of the Chinese state while still carrying out criminal, for-profit activities, likely with some form of tacit approval from CCP officials.
A commonality among these Wicked Panda groups is the use of the Winnti malware. Winnti has gone through many iterations since its appearance in 2010 and is likely still under development. They have also used the low prevalence ShadowPad backdoor which has been associated with software supply-chain attacks. Wicked Panda operators also use other custom loaders and malware such as CooperLoader, AttachLoader, RouterGod, and Proxip in conjunction with publicly available malware and post-exploitation tools such as Cobalt Strike and Mimikatz.
- Industrials and Engineering
- Think Tanks