Adversary: Wicked Panda - Threat Actor | Crowdstrike Adversary Universe


Wicked Panda



Community identifiers

Winnti, Group 72, BARIUM, LEAD, GREF, APT41, TG-2633, BRONZE ATLAS

Wicked Panda has been one the most prolific and effective China-based adversaries from the mid 2010s into the 2020s.

They have consistently expanded their target scope as well as their toolsuite while shifting from criminally focused operations to state-sponsored targeted intrusions that often align with Chinese Communist Party (CCP) objectives outlined in the 13th Five Year and the Made in China 2025 initiative. CrowdStrike Intelligence assesses Wicked Panda consists of a superset of groups involving several contractors working in the interests of the Chinese state while still carrying out criminal, for-profit activities, likely with some form of tacit approval from CCP officials.

A commonality among these Wicked Panda groups is the use of the Winnti malware. Winnti has gone through many iterations since its appearance in 2010 and is likely still under development. They have also used the low prevalence ShadowPad backdoor which has been associated with software supply-chain attacks. Wicked Panda operators also use other custom loaders and malware such as CooperLoader, AttachLoader, RouterGod, and Proxip in conjunction with publicly available malware and post-exploitation tools such as Cobalt Strike and Mimikatz.

Target Nations

  • Flag Icon of the country Germany


  • Flag Icon of the country Hong Kong

    Hong Kong

  • Flag Icon of the country India


  • Flag Icon of the country Japan


  • Flag Icon of the country South Korea

    South Korea

  • Flag Icon of the country Taiwan


  • Flag Icon of the country United States

    United States