Threat Actor Profile
High APT
Description

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to Deep Panda. (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016)

Confidence Score
90%
Known Aliases
Deep Panda Shell Crew WebMasters KungFu Kittens PinkPanther Black Vine
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (10)
T1027.005 - Indicator Removal from Tools
Defense Evasion
T1218.010 - Regsvr32
Defense Evasion
T1564.003 - Hidden Window
Defense Evasion
T1018 - Remote System Discovery
Discovery
T1057 - Process Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1059.001 - PowerShell
Execution
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1505.003 - Web Shell
Persistence
T1546.008 - Accessibility Features
Privilege Escalation
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Deep Panda',
             'Shell Crew',
             'WebMasters',
             'KungFu Kittens',
             'PinkPanther',
             'Black Vine'],
 'created': '2017-05-31T21:31:49.412Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Deep Panda](https://attack.mitre.org/groups/G0009) is a '
                'suspected Chinese threat group known to target many '
                'industries, including government, defense, financial, and '
                'telecommunications. (Citation: Alperovitch 2014) The '
                'intrusion into healthcare company Anthem has been attributed '
                'to [Deep Panda](https://attack.mitre.org/groups/G0009). '
                '(Citation: ThreatConnect Anthem) This group is also known as '
                'Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. '
                '(Citation: RSA Shell Crew) [Deep '
                'Panda](https://attack.mitre.org/groups/G0009) also appears to '
                'be known as Black Vine based on the attribution of both group '
                'names to the Anthem intrusion. (Citation: Symantec Black '
                'Vine) Some analysts track [Deep '
                'Panda](https://attack.mitre.org/groups/G0009) and '
                '[APT19](https://attack.mitre.org/groups/G0073) as the same '
                'group, but it is unclear from open source information if the '
                "groups are the same. (Citation: ICIT China's Espionage Jul "
                '2016)',
 'external_references': [{'external_id': 'G0009',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0009'},
                         {'description': '(Citation: Alperovitch 2014)',
                          'source_name': 'Deep Panda'},
                         {'description': '(Citation: RSA Shell Crew)',
                          'source_name': 'Shell Crew'},
                         {'description': '(Citation: RSA Shell Crew)',
                          'source_name': 'WebMasters'},
                         {'description': '(Citation: RSA Shell Crew)',
                          'source_name': 'KungFu Kittens'},
                         {'description': '(Citation: RSA Shell Crew)',
                          'source_name': 'PinkPanther'},
                         {'description': '(Citation: Symantec Black Vine)',
                          'source_name': 'Black Vine'},
                         {'description': 'Alperovitch, D. (2014, July 7). Deep '
                                         'in Thought: Chinese Targeting of '
                                         'National Security Think Tanks. '
                                         'Retrieved November 12, 2014.',
                          'source_name': 'Alperovitch 2014',
                          'url': 'https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/'},
                         {'description': 'DiMaggio, J.. (2015, August 6). The '
                                         'Black Vine cyberespionage group. '
                                         'Retrieved January 26, 2016.',
                          'source_name': 'Symantec Black Vine',
                          'url': 'https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf'},
                         {'description': 'RSA Incident Response. (2014, '
                                         'January). RSA Incident Response '
                                         'Emerging Threat Profile: Shell Crew. '
                                         'Retrieved January 14, 2016.',
                          'source_name': 'RSA Shell Crew',
                          'url': 'https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf'},
                         {'description': 'Scott, J. and Spaniel, D. (2016, '
                                         'July 28). ICIT Brief - China’s '
                                         'Espionage Dynasty: Economic Death by '
                                         'a Thousand Cuts. Retrieved June 7, '
                                         '2018.',
                          'source_name': "ICIT China's Espionage Jul 2016",
                          'url': 'https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/'},
                         {'description': 'ThreatConnect Research Team. (2015, '
                                         'February 27). The Anthem Hack: All '
                                         'Roads Lead to China. Retrieved '
                                         'January 26, 2016.',
                          'source_name': 'ThreatConnect Anthem',
                          'url': 'https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/'}],
 'id': 'intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064',
 'modified': '2025-04-16T20:37:39.486Z',
 'name': 'Deep Panda',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Andrew Smith, @jakx_'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.2'}
Quick Actions
Related TTPs (10)
Indicator Removal from Tools
Defense Evasion
Regsvr32
Defense Evasion
Hidden Window
Defense Evasion
Remote System Discovery
Discovery
Process Discovery
Discovery
View All 10 TTPs
Back to Threat Actors
Dashboard Home