Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G0027

Emissary Panda

Aliases

Emissary Panda, Lucky Mouse, Bronze Union, Iron Tiger, Circle Typhoon

Type

State-sponsored cyberespionage group. Also for financial gain.

Target

Defense, Government, Military, Tecnology, Telecom Sector

Malware

HyperBro, PlugX, Clop Ransomware

Country

China China

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for Emissary Panda

Who is APT27?

APT27 is a skilled hacking group linked to China. It has been active since 2010.

For years, the group acted as a state-sponsored espionage actor. It stole trade secrets and intelligence from high-value targets worldwide. Around 2020, the group evolved. They still spy for the state, but they now also act like a criminal gang. They now regularly use ransomware attacks to make profit. This double threat makes them a highly dangerous and unpredictable threat.

Common Tactics and Tools

The group’s primary method for initial access is exploiting vulnerabilities in public-facing applications. They are known for quickly weaponizing newly discovered flaws in software. This includes using Microsoft Exchange, Zoho products, and VPNs to break into networks.

Their toolkit reflects their two motivations.

  • HyperBro: A custom backdoor used in the group’s spy campaigns for years. It provides quiet, lasting access to hacked systems. They use it to steal data over long periods.
  • PlugX: Like many Chinese groups, they also use this common backdoor. They use it for remote control and intelligence gathering.
  • Clop Ransomware: For their money-making attacks, the group uses Clop ransomware. It encrypts a victim’s network and they then demand large ransoms.

How to Defend Against APT27

Defending against this dual-purpose threat must counter both spying and ransomware.

  • Rapidly patch edge devices: The most urgent defense is to patch all internet-facing servers and apps. This secures the group’s main entry point.
  • Maintain offline backups: To survive a ransomware attack, keep offline and encrypted data backups. Test them regularly. This is the only sure way to recover without paying.
  • Implement network segmentation: A segmented network can contain a breach. It stops an attacker from moving from a hacked web server to the rest of the network. This protects against both widespread ransomware and data theft.
  • Secure privileged accounts: Give users only the access they need. Use multi-factor authentication (MFA) for all admin accounts. This makes it harder for attackers to gain more control and launch ransomware.
  • Watch your network with NDR: Use a Network Detection and Response (NDR) tool. NDR watches for strange traffic inside your network, catching intruders as they move. It could also catch somebody connecting from China at an unusual hour, for example.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.