Threat Actor Profile
High APT
Description

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021)

Confidence Score
90%
Known Aliases
Aquatic Panda
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (35)
T1005 - Data from Local System
Collection
T1560.001 - Archive via Utility
Collection
T1105 - Ingress Tool Transfer
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1027.010 - Command Obfuscation
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1070.001 - Clear Windows Event Logs
Defense Evasion
T1070.003 - Clear Command History
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078.002 - Domain Accounts
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1550.002 - Pass the Hash
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1007 - System Service Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1087 - Account Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1654 - Log Enumeration
Discovery
T1047 - Windows Management Instrumentation
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.004 - Unix Shell
Execution
T1021 - Remote Services
Lateral Movement
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1021.004 - SSH
Lateral Movement
T1543.003 - Windows Service
Persistence
T1574.001 - DLL
Persistence
T1574.006 - Dynamic Linker Hijacking
Persistence
T1595.002 - Vulnerability Scanning
Reconnaissance
T1588.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Aquatic Panda'],
 'created': '2022-01-18T14:49:29.505Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a '
                'suspected China-based threat group with a dual mission of '
                'intelligence collection and industrial espionage. Active '
                'since at least May 2020, [Aquatic '
                'Panda](https://attack.mitre.org/groups/G0143) has primarily '
                'targeted entities in the telecommunications, technology, and '
                'government sectors.(Citation: CrowdStrike AQUATIC PANDA '
                'December 2021)',
 'external_references': [{'external_id': 'G0143',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0143'},
                         {'description': 'Wiley, B. et al. (2021, December '
                                         '29). OverWatch Exposes AQUATIC PANDA '
                                         'in Possession of Log4Shell Exploit '
                                         'Tools During Hands-on Intrusion '
                                         'Attempt. Retrieved January 18, 2022.',
                          'source_name': 'CrowdStrike AQUATIC PANDA December '
                                         '2021',
                          'url': 'https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/'}],
 'id': 'intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11',
 'modified': '2024-10-10T14:31:59.099Z',
 'name': 'Aquatic Panda',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['NST Assure Research Team, NetSentries Technologies',
                          'Pooja Natarajan, NEC Corporation India',
                          'Hiroki Nagahama, NEC Corporation',
                          'Manikantan Srinivasan, NEC Corporation India',
                          'Jai Minton, CrowdStrike',
                          'Jennifer Kim Roman, CrowdStrike'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.0'}
Quick Actions
Related TTPs (35)
Data from Local System
Collection
Archive via Utility
Collection
Ingress Tool Transfer
Command and Control
LSASS Memory
Credential Access
Command Obfuscation
Defense Evasion
View All 35 TTPs
Back to Threat Actors
Dashboard Home