Glacial Panda
Glacial Panda is a China-linked threat actor conducting cyber espionage activity against telecommunications organizations. CrowdStrike reported the group targets telecom entities across multiple countries, including the United States, Japan, India, and Taiwan, and exfiltrates call detail records and communications telemetry. The actor primarily targets Linux systems in telecom environments, including legacy distributions and other legacy systems. Observed intrusion chains use known vulnerabilities or weak passwords against internet-facing and unmanaged servers, followed by privilege escalation using CVE-2016-5195 (Dirty COW) and CVE-2021-4034 (PwnKit). CrowdStrike reported that Glacial Panda deploys trojanized OpenSSH components named ShieldSlide to collect authentication sessions and credentials; the trojanized SSH server binary also provides backdoor access by authenticating any account, including root, when a hardcoded password is supplied. The group is described as operating across the telecommunications industry and is associated in the provided content with long-term cyber espionage operations and advanced custom malware implants. No additional aliases or sub-groups were directly supported in the content beyond Glacial Panda.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- telecommunications
Associated malware families
2 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
Attack chains implemented by the threat actor make use of known security vulnerabilities or weak passwords aimed at internet-facing and unmanaged servers, with follow-on activities leveraging privilege escalation bugs like CVE-2016-5195 (aka Dirty COW) and CVE-2021-4034 (aka PwnKit).
Attack chains implemented by the threat actor make use of known security vulnerabilities or weak passwords aimed at internet-facing and unmanaged servers, with follow-on activities leveraging privilege escalation bugs like CVE-2016-5195 (aka Dirty COW) and CVE-2021-4034 (aka PwnKit).
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
China-linked espionage intrusions against telecommunications organizations to access and exfiltrate call detail records and communications telemetry; targets Linux/legacy telecom systems; uses vulnerability exploitation/weak passwords, privilege escalation, LotL, and trojanized OpenSSH for credential theft and backdoor access.
Glacial Panda is a China-linked group targeting the telecom sector, focusing on legacy Linux systems, deploying trojanized OpenSSH tools, and collecting authentication logs for lateral movement.
China-nexus endpoint-focused actor conducting long-dwell, stealthy intrusions for intelligence collection in telecommunications; targets Linux (including legacy) systems; deploys trojanized OpenSSH to log auth events and enable lateral movement via tracking remote connections (ShieldSlide).
Long-term cyberespionage operations using advanced custom malware implants.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.