Sharp Panda APT (also known as Sharp Panda) is a state-sponsored advanced persistent threat group attributed to China, active since 2018. The group primarily targets Southeast Asian government entities sectors.
Overview & Attribution
Chinese APT targeting ASEAN government ministries using the RoyalRoad RTF weaponizer and custom Soul framework for long-term espionage operations.
Sharp Panda APT has been active since 2018, attributed to China. The group is known for targeting Southeast Asian government entities using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: China
- Active since: 2018
- Primary targets: Southeast Asian government entities
- Also known as: Sharp Panda
Arsenal & Tools
Sharp Panda APT employs a diverse arsenal of custom and shared tooling:
- RoyalRoad: Custom/shared tooling used in operations
- SoulSearcher: Custom/shared tooling used in operations
- Soul backdoor: Custom/shared tooling used in operations
- VictoryDLL: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on Southeast Asian government entities sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
Sharp Panda APT is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | RoyalRoad RTF lures |
| Execution | T1203 Exploitation for Client Execution | Equation Editor exploits |
| Persistence | T1574.002 DLL Side-Loading | Legitimate binary side-loading |
| Defense Evasion | T1036 Masquerading | Disguised loader components |
| Collection | T1005 Data from Local System | Government document theft |
| C2 | T1071.001 Web Protocols | HTTPS C2 |
Notable Campaigns
Sharp Panda APT has been linked to multiple significant campaigns targeting Southeast Asian government entities organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known Sharp Panda APT IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with RoyalRoad and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known Sharp Panda APT TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against Sharp Panda APT
Mjolnir Security provides specialized capabilities to detect and respond to Sharp Panda APT operations.
- APT Threat Hunting Proactive hunting for Sharp Panda APT TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of Sharp Panda APT campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts