Twisted Panda: Check Point Research unveils a Chinese APT espionage campaign against Russian state-owned defense institutes

Key findings:

  • Check Point Research (CPR) unveils a targeted campaign against at least two research institutes in Russia, which are part of the Rostec corporation, a state-owned defense conglomerate.
  • This campaign is a continuation of what is believed to be a long-running espionage operation against Russian-related entities that has persisted since at least July 2021. The operation may still be ongoing, as the most recent activity was observed in April 2022.
  • This activity was attributed to a Chinese threat actor, with possible connections to Stone Panda (aka APT10), a sophisticated and experienced nation-state-backed actor, and Mustang Panda, another proficient China-based cyber espionage group. The campaign has been dubbed Twisted Panda to reflect the sophistication of the tools observed and the attribution to China.
  • The hackers use new tools, which have not previously been described: a sophisticated multi-layered loader and a backdoor dubbed SPINNER. These tools use advanced evasion and anti-analysis techniques such as multi-layer in-memory loaders and compiler-level obfuscations.


In the past two months, Check Point Research (CPR) observed multiple APT groups attempting to leverage the Russia and Ukraine conflict and sanctions against Russian companies as baits for espionage operations. It comes as no surprise that Russian entities themselves became an attractive target for spear-phishing campaigns that are exploiting the sanctions imposed on Russia by western countries. These sanctions have put enormous pressure on the Russian economy, and specifically on organizations in multiple Russian industries.
The investigation showed that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months. Researchers estimate with high confidence that the campaign was carried out by an experienced and sophisticated Chinese nation-state APT. This report will reveal the tactics and techniques used by the threat actors and provide a technical analysis of the observed malicious stages and payloads, including previously unknown loaders and backdoors with multiple advanced evasion and anti-analysis techniques.

Spear-phishing campaign

By definition, spear phishing is a highly targeted phishing attack. Like any phishing attack, it can be performed over a variety of different media – email, SMS, social media, etc. – but spear phishing emails are the most common. As a type of phishing, spear phishing operates very similarly to other phishing attacks, but the process of crafting the phishing message is a bit different.
On March 23, malicious emails targeted several defense research institutes based in Russia. The emails, which had the subject “List of <target institute name> persons under US sanctions for invading Ukraine”, contained a link to an attacker-controlled site mimicking the Health Ministry of Russia minzdravros[.]com and had a malicious document attached:

Figure 1: Spear-phishing email sent to research institutions in Russia.

All the attached  documents were crafted to look like official documents from the Russian Ministry of Health, bearing its official emblem and title:

Figure 2: Screenshot of the lure document sent to research institutions in Russia.

On the same day, a phishing email of similar type was also sent to an unknown entity in Minsk, Belarus with the subject “US Spread of Deadly Pathogens in Belarus.”

 Chinese-based activity

Given the tactics, techniques, and procedures (TTPs) of this operation, researchers feel confident this campaign to have been carried out by a Chinese APT threat actor. In general, Chinese groups are known to reuse and share tools. What is more, Twisted Panda campaign bears multiple overlaps with advanced and long-standing Chinese cyberespionage actors , like the control-flow obfuscations observed in SPINNER were previously used by the Chinese group APT10 and reappeared in a recent Mustang Panda espionage campaign. There is not enough strong evidence however, such as infrastructure-based connections, to point the fingers at a specific Chinese group. .

The Made in China 2025 plan defines objectives for China to become a major technological and economic power, and also identifies the sectors in which it must become a world leader, including robotics, medical equipment, and aviation. The defense research institutes that we identified as targets of this attack belong to a holding company within the Russian state-owned defense conglomerate Rostec Corporation. It is Russia’s largest holding company in the radio-electronics industry and the specific targeted research institutes’ primary focus is the development and manufacturing of electronic warfare systems, military-specialized onboard radio-electronic equipment, air-based radar stations and means of state identification. The research entities are also involved in avionics systems for civil aviation, the development of a variety of civil products such as medical equipment and control systems for energy, transportation, and engineering industries.  This campaign relies on social engineering techniques and spear phishing in particular. The purpose of the espionage operation is likely to collect information from targets inside the high-tech Russian defense industry to support China in its technological advancement and long-term plan.


To read the full investigation report go to