Threat Actor Profile
High APT
Description

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)

Confidence Score
90%
Known Aliases
Putter Panda APT2 MSUpdater
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (4)
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1055.001 - Dynamic-link Library Injection
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1547.001 - Registry Run Keys / Startup Folder
Persistence
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Putter Panda', 'APT2', 'MSUpdater'],
 'created': '2017-05-31T21:31:56.785Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Putter Panda](https://attack.mitre.org/groups/G0024) is a '
                'Chinese threat group that has been attributed to Unit 61486 '
                'of the 12th Bureau of the PLA’s 3rd General Staff Department '
                '(GSD). (Citation: CrowdStrike Putter Panda)',
 'external_references': [{'external_id': 'G0024',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0024'},
                         {'description': '(Citation: CrowdStrike Putter Panda)',
                          'source_name': 'MSUpdater'},
                         {'description': '(Citation: CrowdStrike Putter Panda) '
                                         '(Citation: Cylance Putter Panda)',
                          'source_name': 'Putter Panda'},
                         {'description': '(Citation: Cylance Putter Panda)',
                          'source_name': 'APT2'},
                         {'description': 'Crowdstrike Global Intelligence '
                                         'Team. (2014, June 9). CrowdStrike '
                                         'Intelligence Report: Putter Panda. '
                                         'Retrieved January 22, 2016.',
                          'source_name': 'CrowdStrike Putter Panda',
                          'url': 'http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf'},
                         {'description': 'Gross, J. and Walter, J.. (2016, '
                                         'January 12). Puttering into the '
                                         'Future.... Retrieved November 17, '
                                         '2024.',
                          'source_name': 'Cylance Putter Panda',
                          'url': 'https://blogs.blackberry.com/en/2016/01/puttering-into-the-future'}],
 'id': 'intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45',
 'modified': '2024-11-17T16:43:16.049Z',
 'name': 'Putter Panda',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.2'}
Quick Actions
Related TTPs (4)
Encrypted/Encoded File
Defense Evasion
Dynamic-link Library Injection
Defense Evasion
Disable or Modify Tools
Defense Evasion
Registry Run Keys / Startup F…
Persistence
Back to Threat Actors
Dashboard Home