Emissary Panda HTTP Listener

Recently, Palo Alto’s Unit42 and Saudi NCSC detailed multiple intrusions against Middle Eastern government targets in which an attacker (purportedly Emissary Panda, a suspected Chinese state-sponsored adversary) compromised vulnerable Microsoft SharePoint servers and deployed a variety of intrusion tools, both public and custom.**

This blog post briefly documents characteristics and capabilities of one such tool, an HTTP listener (first identified by NCSC-SA), deployed at several of these sites. There are multiple versions of this listener with different command names; however, the functionality of each command is the same in each file.

**Note: Unit42 reporting does not definitively state that this activity belongs to a single threat actor given the use of publicly available tools but rather offers this as a possible assessment; for simplicity, this blog post treats this activity as belonging to a single attacker but acknowledges that this is an important analytical caveat.

Read more “Emissary Panda HTTP Listener”