Chinese ‘Twisted Panda’ hackers caught spying on Russian defense institutions

At least two research institutes located in Russia and a third likely site in Belarus have been the target of an Advanced Persistent Threat (APT) spy attack by the Chinese nation-state.

Attacks, codename “twisted pandacame against the backdrop of Russia’s military incursion into Ukraine, prompting a wide range of threat actors to quickly adapt their campaigns to the ongoing conflict to distribute malware and carry out opportunistic attacks.

They materialized as social engineering schemes with military news bait and orchestrated sanctions to trick potential victims into clicking on malicious links or opening armed documents.

Israeli cybersecurity firm Check Point, which released details of the latest intelligence-gathering operation, attributed it to a Chinese attacker with ties to those working for Stone Panda (aka APT 10, Cicada, or Potassium) and Mustang Panda (aka Bronze President, HoneyMyte or RedDelta).

Calling it a continuation of a “long-term espionage operation against Russian-linked organizations that has been going on since at least June 2021,” the latest traces of this activity were reportedly discovered as recently as April 2022.

Among the targets were two defense research institutes owned by the Russian state defense conglomerate Rostec Corporation and an unidentified organization based in the Belarusian city of Minsk.


The phishing attacks began with emails containing a link posing as the Russian Ministry of Health, but in fact a domain controlled by the attacker, as well as a fake Microsoft Word document designed to launch the infection and reset the bootloader.

The 32-bit DLL (“cmpbk32.dll”), in addition to providing persistence via a scheduled task, is also responsible for running the second-stage layered loader, which is then unpacked to run the final in-memory payload. .

The injected payload, a previously undocumented backdoor called Spinner, uses complex techniques such as flow smoothing control to hide the program flow previously identified as being used by Stone Panda and Mustang Panda in their attacks.

“These tools have been in development since at least March 2021 and use advanced evasion and parsing protection techniques such as multi-level in-memory loaders and compiler-level obfuscations,” Check Point said in a statement.

computer security

Despite the complex code structure, the Spinner is a basic implant that is only equipped to enumerate compromised hosts and run additional payloads received from a remote server.

Check Point noted that its investigation also uncovered an earlier variant of the backdoor that propagates in the same manner, indicating the campaign has been active since June 2021 based on executable build timestamps.

But in an interesting twist, while the older version lacks reverse engineering prevention techniques, it makes up for it by having additional features that Spinner lacks, including the ability to enumerate and manipulate files, exfiltrate valuable data, and execute system operation commands and arbitrary loaded payloads.

“In less than a year, the actors have greatly improved the chain of infection and made it more complicated,” the researchers explain. “All the functionality of the old campaign has been retained, but split into multiple components, making it difficult to analyze or discover each stage.”

“The evolution of tools and methods over this period indicates that campaigners are stubbornly pursuing their goals behind the scenes.”

Leave a Comment

Your email address will not be published.