#ThreatThursday - Deep Panda

This week we interviewed Bradford Regeski, a Cyber Threat Intelligence analyst at H-ISAC, about the top threats the healthcare industry is seeing. He shared a number of excellent resources on threat actors, told us a little more about H-ISAC, and dove deeper into Deep Panda. As usual, we took this Cyber Threat Intelligence about Deep Panda to create an adversary emulation plan, this time targeting Linux systems, showed you how to emulate the adversary, and discuss defending against threat actors targeting the healthcare industry. As a reminder, SCYTHE has an open offer for healthcare organizations to use our platform, for free, until the end of the year. It is our way of giving back to a community we have all relied on this year.

Cyber Threat Intelligence

This week we learned about H-ISAC and received some great Cyber Threat Intelligence based on their primary focus: sharing timely, actionable, and relevant information with each other including intelligence on threats, incidents and vulnerabilities.

Brad referenced an excellent resource that is TLP:White, meaning we can share it publicly, from the Health Sector CyberSecurity Coordination Center (HC3). Within this document we can obtain more information about Deep Panda who, like Orangeworm, has a number of TTPs attributed to their behavior and also a number of malware:

This week, we will focus on emulating malware in Linux and have chosen Derusbi to be the example. Here is the Threat Profile for Deep Panda using Derusbi:





Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. The intrusion into healthcare company Anthem has been attributed to Deep Panda. 

Derusbi is malware used by multiple Chinese APT groups. Both Windows and Linux variants have been observed


Maintain and sell access to compromised environments

Command and Control

T1573 - Encrypted Channel

T1573.001 - Symmetric Cryptography

T1008 - Fallback Channels

T1095 - Non-Application Layer Protocol

T1571 - Non-Standard Port

Defense Evasion

T1070 - Indicator Removal on Host

T1070.006 - Timestomp

T1070.004 - File Deletion

T1055 - Process Injection

T1055 - Process Injection

T1055.001 - Dynamic-link Library Injection

T1055.001 - Dynamic-link Library Injection

T1218 - Signed Binary Proxy Execution

T1218.010 - Regsvr32


T1059 - Command and Scripting Interpreter

T1059.004 - Unix Shell


T1083 - File and Directory Discovery

T1057 - Process Discovery

T1012 - Query Registry

T1082 - System Information Discovery

T1033 - System Owner/User Discovery


T1123 - Audio Capture

T1056 - Input Capture

T1056 - Input Capture

T1056.001 - Keylogging

T1056.001 - Keylogging

T1113 - Screen Capture

T1125 - Video Capture

Like last week’s Orangeworm post, we are now providing the ATT&CK Navigator Layers for Deep Panda and Derusbi so you can quickly visualize the TTPs they leverage.

Adversary Emulation Plan

This is the first #ThreatThursday where we emulate a Linux malware so let’s walk through these steps. Creating a Linux campaign is very similar to the Windows campaigns we have done: 

  • Select New Campaign under the Campaign Manager dropdown menu on the left.
  • Give the campaign a name
  • Select Linux as the Target operating system
  • Add a start date and end date (optional)
  • Select the communication module. In this case, we will do HTTPS
  • Select the parameters or upload a profile
  • Click Next

On the Automate Campaign screen we will import our existing threat that was created by our Sales Engineer, Sean Sun:

  • Click Existing Threats under the Compound Actions menu
  • Select an existing threat, in this case Desrubi
  • Click Add Steps

Deep Panda, like Sandworm, lives off the land which means you will be able to execute most of these commands without the SCYTHE automation, manually from a console. However, SCYTHE does have the uploader and downloader module which allows you to move files to and from the Virtual File System. This is very convenient for an operator. All the steps can be extracted from the JSON file hosted on our community threats.

Defend against Deep Panda

Like many other malware families, defense against Deep Panda should be first centered around detection of unexpected behaviors. As demonstrated above, Deep Panda uses its access to create files; this creates an initial important touchpoint in which a defender could be alerted if file creation is occurring in an unexpected manner on this Linux system. Monitoring for unexpected file system changes, or package installation, can be even more critical for systems with no standardized Antivirus or EDR deployments, which is often the case for Linux endpoints. Finally, it is worth reiterating that using a robust permissions model, including implementing and tuning tools such as SELinux, can be critical in protecting vital Linux-based infrastructure.


This week we learned about H-ISAC and the work they are doing to collaborate with the Healthcare sector. We want to thank Brad for spending some time with us and talking about Deep Panda. We consumed Cyber Threat Intelligence from various sources and created a Linux variant of Desrubi. We learned how to create and run a Linux campaign as well as some manual commands that can be executed if you do not have SCYTHE yet. Lastly, we covered how to defend against Linux malware. We hope you enjoyed our #ThreatThursday and thanks again to Brad for coming on the show.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.

About Health-ISAC

H-ISAC is a trusted global community of critical infrastructure owners and operators within the Healthcare and Public Health sector (HPH). The community is primarily focused on sharing timely, actionable and relevant information with each other including intelligence on threats, incidents and vulnerabilities. Shared data can include indicators of compromise, tactics, techniques and procedures (TTPs) of threat actors, advice and best practices, mitigation strategies and other valuable material. Sharing can occur via machine to machine or human to human. H-ISAC also fosters the building of relationships and networking through a number of educational events in order to facilitate trust. Working groups and committees focus on topics and activities of importance to the sector. Shared Services offer enhanced services to leverage the H-ISAC community for the benefit of all.

Latest Posts

Threat Thursday: February
February 22,2024
Threat Thursday: January
January 18,2024