CrowdStrike describes LIMINAL PANDA as a China‑nexus state‑sponsored actor that has targeted telecommunications providers since at least 2020, using compromised telecom infrastructure to pivot and collect subscriber data. The actor uses custom malware and publicly available proxy/C2 tooling (including GSM protocol emulation) and CrowdStrike recommends hardened EDR, strict SSH controls and network access restrictions to mitigate risk. #LIMINALPANDA #PingPong #SIGTRANslator #LightBasin #wuxiapingg
Keypoints
- LIMINAL PANDA has targeted telecommunications providers since at least 2020, using compromised telecom servers to access additional providers and geographic regions.
- The actor combines custom malware (e.g., PingPong, CordScan, SIGTRANslator) with publicly available tools (TinyShell, Fast Reverse Proxy, Microsocks, ProxyChains) to enable covert access and C2 routing.
- LIMINAL PANDA emulates GSM protocols to enable command-and-control and develops tooling to collect mobile subscriber information, call metadata and SMS data.
- CrowdStrike links some activity to the LightBasin cluster but separated LIMINAL PANDA as a distinct actor operating on contested networks.
- CrowdStrike assesses the activity aligns with China‑nexus operations with low confidence, citing Pinyin strings (wuxianpinggu507), domains (wuxiapingg[.]ga) and overlap in tooling/infrastructure use.
- Recommended defenses include deploying real‑time EDR, enforcing strong SSH/authentication practices, minimizing publicly accessible services, logging SSH activity, verifying iptables rules, and using file integrity checks.
MITRE Techniques
- [T1071] Application Layer Protocol – LIMINAL PANDA emulates mobile protocols to support C2: ’emulating global system for mobile communications (GSM) protocols to enable C2.’
- [T1090] Proxy – The actor routes command-and-control through chained proxy tools: ’employs a combination of custom malware, publicly available tools and proxy software to route C2 communications through different network segments.’
- [T1041] Exfiltration Over C2 Channel – The adversary retrieves and likely exfiltrates subscriber data and messaging: ‘develop tooling to retrieve mobile subscriber information, call metadata and text messages (SMS).’
- [T1021] Remote Services – Compromised telecom servers are used to access and intrude into other providers: ‘compromised telecom servers to initiate intrusions into further providers in other geographic regions.’
- [T1078] Valid Accounts – The actor leverages legitimate access and weak/shared credentials (including Pinyin strings) for remote proxy services: ‘using a Pinyin string (wuxianpinggu507) … as the password for some of LIMINAL PANDA’s remote proxy services.’
- [T1105] Ingress Tool Transfer – LIMINAL PANDA deploys publicly available and custom tooling (e.g., Cobalt Strike, TinyShell, Fast Reverse Proxy) to enable operations: ‘the adversary employs a combination of custom malware, publicly available tools and proxy software.’
Indicators of Compromise
- [Domain] delivery/C2 infrastructure – wuxiapingg[.]ga (used as delivery infrastructure and C2 for Cobalt Strike), and other Pinyin-based domains associated with actor infrastructure.
- [Malware/Tool names] associated tooling observed – PingPong, SIGTRANslator, CordScan, TinyShell, Fast Reverse Proxy, Microsocks, ProxyChains (and other custom/public tools).
- [Credential/XOR key] embedded configuration strings – wuxianpinggu507 used as an XOR key and as a password for some remote proxy services.
- [Hosting provider] infrastructure provider – VPS infrastructure hosted on Vultr linked to actor infrastructure (provider-level IOC for infrastructure tracking).
Read more: https://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats