Twisted Panda: Chinese APT Targets Russian Orgs

You are currently viewing Twisted Panda: Chinese APT Targets Russian Orgs


As the Russia-Ukraine war continues, numerous threat actors, including APTs, are seeking to take advantage of the situation. Cyberespionage actors have found Russian firms to be a profitable target. A state-sponsored APT organisation was discovered eavesdropping on Russian companies.

Getting into the weeds

Twisted Panda was a targeted assault that spied on at least two Russian defence research organisations as well as an unknown target in Belarus.

The assaults were carried out using social engineering methods that claimed the US was distributing a biological weapon.

Defense research institutions affiliated with Rostec Corporation, Russia’s largest holding corporation in the radio-electronics industry, are among the casualties.

Why is this significant?

This cyberespionage campaign, according to Check Point, has been continuing since at least June 2021, with the most recent activity occurring in April 2022.

Stone Panda (APT10) and Mustang Panda, both skilled and experienced threat actors, have been blamed for the campaign.

The attacker used previously unknown tools such as Spinner, a multi-layered loader and backdoor. Since March of last year, the tools have been in active development and are capable of advanced anti-analysis and evasion strategies.

Spinner Information

It hides the programme flow by flattening the control flow.

Despite its complex code structure, Spinner is only used to list infected hosts and run payloads downloaded from a remote server.

Researchers uncovered an older strain of the implant based on the executables’ compilation timestamps, hinting that the campaign had been operating for some time.

Anti-reverse engineering techniques are not used in the earlier Spinner model. It could, however, list and alter files, perform OS commands, download payloads at will, and steal vital data, all of which are removed from the latest version.

In conclusion

According to research, threat actors significantly enhanced the infection chain in just a year, making it more complex. The campaign’s functions have been broken up into several pieces, making it impossible to notice or assess each stage. All of this suggests that the threat actors are committed to attaining their objectives of stealing important data. Chinese cyberespionage actors are quick to respond to real-world events and use the most appropriate lures to increase their chances of success.

Leave a Reply