Threat Research

Twisted Panda: Chinese APT espionage operation against Russian state-owned defense institutes – Check Point Research

Securonix

Check Point Research details the Twisted Panda operation, a Chinese state-sponsored espionage campaign targeting Rostec’s defense institutes in Russia (and possibly Belarus), leveraging sanctions-based lures and novel tools like SPINNER and a multi-layer loader to evade detection. The operation uses spear-phishing emails with deceptive attachments, DLL sideloading, in-memory loading, and a C2-backed backdoor to gather system information and receive additional payloads.
#TwistedPanda #SPINNER #StonePanda #MustangPanda #Rostec #HealthMinistryRussia

Keypoints

  • Targeted campaign against at least two Russian Rostec defense institutes, with a Belarusian target following similar spear-phishing lures.
  • Attribution with high confidence to Chinese state-backed actors, possibly linked to Stone Panda (APT10) and Mustang Panda, under the Twisted Panda operation.
  • introduction of new malware tools: a sophisticated multi-layer loader and a backdoor named SPINNER, featuring strong evasion and anti-analysis techniques.
  • Infection chain starts with spear-phishing emails and decoy documents impersonating the Russian Health Ministry to lure victims.
  • Modular loader/backdoor techniques include DLL sideloading, in-memory decryption, RC4/XOR layers, and multi-stage payload deployment.
  • Detailed persistence, discovery, and C2 communication capabilities are described, including scheduled tasks, Run registry keys, and HTTP/S-based C2 channels.
  • Campaign evolution shows split components (document + loader; DLL loader with DllMain handling) and intensified obfuscation to enhance stealth; prior waves date back to 2021.
  • Victimology and tools align with long-term Chinese espionage objectives, with overlaps to Hodur/PlugX and Mustang Panda techniques.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Malicious emails with attached documents and links to attacker-controlled sites were used to deliver the loader. “On March 23, malicious emails were sent to several defense research institutes based in Russia. The emails … contained a link to an attacker-controlled site mimicking the Health Ministry of Russia minzdravros[.]com and had a malicious document attached.”
  • [T1059.005] Command and Scripting Interpreter: Visual Basic for Applications – External templates contained macro code that imports API functions from kernel32 and used them to write and load components. “The external template contains a macro code that imports several API functions from kernel32 (LoadLibraryA, CreateFileA, WriteFile, ReadFile, etc) and uses them to… “
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – The loader uses DLL sideloading via a legitimate process (cmdl32.exe) and loads cmpbk32.dll/cmpbk64.dll to execute its R1 function. “Load cmpbk32.dll or cmpbk64.dll (depending on the system OS architecture) and execute its exported function R1.”
  • [T1055] Process Injection – The SPINNER payload injects into a process path and runs loaded code; later stages involve injection to msiexec.exe. “The injected code begins by dynamically loading a PE file embedded inside and executing it from its entry point.”
  • [T1218] Signed Binary Proxy Execution – DLL sideloading by a legitimate, Microsoft-signed process helps evade AV. “DLL sideloading by a legitimate process is a technique commonly used by threat actors; coupling it with a robust loading process can help evade modern anti-virus solutions as, in this case, the actual running process is valid and signed by Microsoft.”
  • [T1547.001] Boot or Logon Autostart: Registry Run Keys/Startup Folder – The backdoor creates a Run key for persistence. “it creates a new registry key OfficeInit under SOFTWAREMicrosoftWindowsCurrentVersionRun that points to the cmdl32.exe path.”
  • [T1053.005] Scheduled Task – The loader/Decoy chain creates a scheduled task for persistence. “When the malicious document is closed, a PROCESS_DETACH event … and creates a scheduled task for persistence.”
  • [T1132] Data Encoding: RC4/XOR – The backdoor encrypts packets with a random RC4 key and XOR decrypts configuration data. “The backdoor generates a random 8-byte RC4 key that is used to encrypt the entire packet” and “The decrypted blob is a position-independent code …”
  • [T1071.001] Web Protocols – C2 communication over HTTP/S. “The packet is sent through the HTTP/S depending on the URL retrieved from the malware configuration.”
  • [T1082] System Information Discovery – SPINNER collects system information for exfiltration. “creates a string containing Bot ID, Computer name, Local IP, Windows version, Username, Sleep time…, Process ID”
  • [T1041] Exfiltration – The backdoor exfiltrates files and manipulates local data as part of its capabilities. “Exfiltrates files from the infected machine and manipulates the local files.”
  • [T1027] Obfuscated/Compressed Files and Information – The payload uses compiler-level obfuscations (control flow flattening and opaque predicates) to hinder analysis. “The payload uses two compiler-level obfuscations: Control flow flattening… Opaque predicates.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The backdoor runs commands via cmd.exe as part of its operational commands. “Run command using cmd.exe”
  • [T1005] Ingress Tool Transfer – Self-update and payload delivery logic includes writing to INIT and creating new loader instances. “Self-update – Write data to the INIT file and create another instance of the cmdl32.exe using CreateProcessW.”
  • [T1070] Indicator Removal on Host – Self-delete/cleanup actions and persistence cleanup. “Self-delete and exit process (create and run a file named a.bat… Also, delete persistence from the Run Registry Key.)”
  • [T1016] System Network Configuration Discovery – Basic host discovery through gathering local IPs and network info as part of the info packet.
  • [T1059.007] Windows Command Shell: PowerShell (indirect) – Variants mention shells and command execution pathways that align with shell-based control flow in multiple components.

Indicators of Compromise

  • [Domain] minzdravros[.]com – attacker-controlled site impersonating Health Ministry of Russia used in lure
  • [Domain] www.miniboxmail[.]com – domain linked to the campaign infrastructure
  • [Domain] www.minzdravros[.]com – domain linked to the lure setup
  • [Domain] www.microtreely[.]com – domain tied to external template delivery
  • [MD5] d723c18baea565c9263dca0eb3a11904 – email content hash used in the targeting email
  • [MD5] 027845550d7a0da404f0f331178cb28b – docx attachment hash
  • [MD5] 1f9a72dc91759cd06a0f05ac4486dda1 – docx attachment hash
  • [MD5] d95bbe8a97d864dc40c9cf845aeb4e9e – docx attachment hash
  • [MD5] ce02ee477e1188f0664dd65b17e83d11 – template file hash
  • [MD5] 3855dc19811715e15d9775a42b1a6c55 – template file hash
  • [MD5] 7dd4c80acc4dca33af0d26477efe2002 – template file hash
  • [MD5] 90e6878ebfb3e962523f03f9d411b35c – loader (64-bit) hash
  • [MD5] 7a371437e98c546c6649713703134727 – loader (32-bit) hash
  • [MD5] 312dcd11c146323876079f55ca371c84 – dropper hash
  • [MD5] 443c66275e2802c00afe2cf16f147737 – dropper hash
  • [MD5] fd73eeead785470f79536e9eb2eb6ef2 – dropper hash
  • [MD5] 176d7239887a9d0dd24e2cce904277bc – loader hash (old campaign)
  • [MD5] daa1da9b515a32032bc621e71d4ae4ca – loader hash (old campaign)
  • [MD5] e3072cc3f99dd3a32801e523086d9bb1 – loader hash (old campaign)
  • [MD5] 06865195c326ff587b2c0bed16021d08 – loader hash (old campaign)
  • [MD5] 25f3da186447794de5af2fa3ff3bcf23 – loader hash (old campaign)
  • [MD5] 6d4bf8dd4864f9ac564d3c9661b99190 – loader hash (old campaign)
  • [Domain] img.elliotterusties[.]com – reference domain observed in related campaigns

Read more: https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/