SOC Prime Bias: Critical

01 Jul 2026 09:05 UTC

Aquatic Panda (Earth Lusca): Campaigns, Malware, and TTPs

Author Photo
SOC Prime Team linkedin icon Follow
Aquatic Panda (Earth Lusca): Campaigns, Malware, and TTPs
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Aquatic Panda is a China-aligned APT group focused on intelligence gathering and industrial espionage. The group uses a diverse malware arsenal, including SprySOCKS, ShadowPad, and BIOPASS RAT, to target critical industries. Its operations also involve exploitation of vulnerabilities such as Log4Shell and the use of advanced rootkits to maintain stealth.

Investigation

The report outlines multiple campaigns, including Operation FishMedley and attacks involving VMware Horizon servers. It examines the technical design of the SprySOCKS backdoor, including its kernel-mode rootkit functionality and persistence features. The analysis also breaks down the group’s specific TTPs for initial access, execution, and defense evasion.

Mitigation

Organizations should validate their defenses against known Aquatic Panda tradecraft using simulation and testing platforms. Key mitigations include patching Log4j vulnerabilities such as CVE-2021-44228 and monitoring for unauthorized scheduled tasks or suspicious Windows service changes. Strong endpoint detection is also essential for identifying DLL sideloading and process injection activity.

Response

If Aquatic Panda activity is detected, responders should isolate affected systems immediately to stop lateral movement. Investigations should focus on unauthorized registry changes, especially within Print Processors or IFEO settings. Forensic analysis should prioritize memory collection from suspicious processes and auditing of scheduled tasks and Windows services.

"flowchart TD step_resource_development["Resource Development: Registering homoglyph domains and staging JNDI/Log4Shell tools"] step_initial_access["Initial Access: Exploiting Log4j (CVE-2021-44228) in VMware Horizon"] step_execution["Execution: PowerShell download cradles, cmd/C with curl/wget, Scheduled Tasks, and Windows Services"] step_persistence["Persistence: Creating Windows Services, Scheduled Tasks, and Print Processor DLL registration"] step_privilege_escalation["Privilege Escalation: IFEO injection and Access Token Manipulation via CreateProcessAsUserW"] step_defense_impairment["Defense Impairment: Modifying Windows Host Firewall with ICMPv6 impersonation"] step_credential_access["Credential Access: LSASS memory dumping, SAM/SYSTEM hive theft, browser credential theft, and Password Filter DLL"] step_discovery["Discovery: Enumerating services, processes, system info, and software security products"] step_collection["Collection: Keylogging and data archiving with WinRAR"] step_command_and_control["Command and Control: TCP/UDP/WebSockets with AES-128 and WFP-based Traffic Signaling"] step_stealth["Stealth: Kernel-mode rootkit (RawWNPF), Process Injection, DLL Side-Loading, and Sandbox Evasion"] rules_for_step_stealth("<b>Rule Name</b>: Suspicious Process Path (via cmdline)<br/><b>Rule ID</b>: f28587e8-2aa1-4e6b-bdd1-ad0ce520346a") step_exfiltration["Exfiltration: Data transfer via C2 or Dropbox (dbxcli)"] step_resource_development –>|leads_to| step_initial_access step_initial_access –>|leads_to| step_execution step_execution –>|leads_to| step_persistence step_persistence –>|leads_to| step_privilege_escalation step_privilege_escalation –>|leads_to| step_defense_impairment step_defense_impairment –>|leads_to| step_credential_access step_credential_access –>|leads_to| step_discovery step_discovery –>|leads_to| step_collection step_collection –>|leads_to| step_command_and_control step_command_and_control –>|leads_to| step_stealth step_stealth –>|leads_to| step_exfiltration step_stealth -.->|detected_by| rules_for_step_stealth "

Attack Flow

Detections

Possible Data Compression for Infiltration or Exfiltration (via cmdline)

SOC Prime Team
30 Jun 2026

Possible Services Enumeration (via cmdline)

SOC Prime Team
30 Jun 2026

Possible SAM/SYSTEM/SECURITY Dumping (via cmdline)

SOC Prime Team
30 Jun 2026

Possible Credential Dumping Using Comsvcs.dll (via cmdline)

SOC Prime Team
30 Jun 2026

Possible credential dumping using comsvcs.dll (via powershell)

SOC Prime Team
30 Jun 2026

Suspicious Firewall Modifications via CLI (via cmdline)

SOC Prime Team
30 Jun 2026

Abnormal System Process Chain (via process_creation)

SOC Prime Team
30 Jun 2026

Possible Accessibility Features via Registry Abuse (via cmdline)

SOC Prime Team
30 Jun 2026

Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)

SOC Prime Team
30 Jun 2026

Suspicious Service Creation for Persistence (via system)

SOC Prime Team
30 Jun 2026

Service Image Operations by Rare Process (via registry_event)

SOC Prime Team
30 Jun 2026

Suspicious Executable/Script Execution Location via [cmd.exe /C] (via cmdline)

SOC Prime Team
30 Jun 2026

Call Suspicious .NET Classes/Methods from Powershell CommandLine (via process_creation)

SOC Prime Team
30 Jun 2026

Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)

SOC Prime Team
30 Jun 2026

Suspicious Process Path (via cmdline)

SOC Prime Team
30 Jun 2026

Process Hollowing Memory Allocation [Windows Sysmon]

SOC Prime AI Rules
30 Jun 2026

Registry Modifications for Debugger Hijacking and Print Processor Persistence [Windows Registry Event]

SOC Prime AI Rules
30 Jun 2026

Scheduled Task Creation and PowerShell Malicious Download [Windows Process Creation]

SOC Prime AI Rules
30 Jun 2026

## Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: An adversary intends to perform process hollowing to hide malicious code within a legitimate process container. To test if the current (albeit flawed) detection triggers, the adversary will launch powershell.exe from a specific directory. This simulates the initial stage of a Living-off-the-Land (LotL) attack where the adversary uses a standard system tool to begin their malicious activities, such as memory injection or credential harvesting. The goal is to generate a Process Creation event where the Image field contains a backslash, as defined in the detection logic.

  • Regression Test Script:

      # Simulating a process launch that satisfies the (weak) detection logic
      # This mimics the start of an adversary session using a standard tool
      $targetProcess = "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe"
      Write-Host "Executing: $targetProcess"
      Start-Process -FilePath $targetProcess -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command Write-Host 'Simulation Active'"
  • Cleanup Commands:

      # No persistent changes made; no cleanup required for this simulation.
      Write-Host "Simulation cleanup complete."