3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Dynamite Panda

Dynamite Panda

ID: 31bd786c80cf9493b66173852754f28e14073
Cybercrime State-Sponsored
Threat types: Intrusion, Malware, Espionage
China
Updated: 2026-01-13
Created: 2025-10-20
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone:
Aliases Limited alias preview
APT18
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Dynamite Panda is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. Ref: https://attack.mitre.org/groups/G0026/


Technique Technique name Tactics Evidence
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - Dynamite Panda obfuscates strings in the payload. · ref
T1053.002 At TA0002 TA0003 TA0004
  • Scheduled Task/Job: At - Dynamite Panda actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - Dynamite Panda uses cmd.exe to execute commands on the victim’s machine. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - Dynamite Panda actors deleted tools and batch files from victim systems. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - Dynamite Panda uses HTTP for C2 communications. · ref
T1071.004 DNS TA0011
  • Application Layer Protocol: DNS - Dynamite Panda uses DNS for C2 communications. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Dynamite Panda establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.