Horde Panda

HORDE PANDA is a China-based intrusion set tracked by CrowdStrike with a likely intelligence collection mission. Active since at least mid-2023, HORDE PANDA primarily focuses on entities in the telecommunications sector in South Asia. The group has been observed using malware families including KEYPLUG, ShadowPad, Proxip, and PlugX which are commonly associated with China based threat actors. Their operations involve using multiple compromised identities to embed themselves deeper into networks and move laterally, often gaining initial access through VPN IP ranges.

Between late June 2023 and early August 2023, CrowdStrike detected suspicious activity linked to HORDE PANDA at a South Asian telecommunications provider. The adversary attempted to perform a DCSync attack, later establishing persistence using implants such as LuaPlug and KEYPLUG.

crowdstrike.com

https://crowdstrike.com/explore/crowdstrike-2024-threat-hunting-report/crowdstrike-2024-threat-hunting-report

www.crowdstrike.com

https://www.crowdstrike.com/adversaries/horde-panda/

github.com

https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/crowdstrike-2024-threat-hunting-report.pdf