Deep Panda deploys new rootkit “Fire Chili” by exploiting Log4shell in VMware horizon

Threat Advisories

Deep Panda deploys new rootkit “Fire Chili” by exploiting Log4shell in VMware horizon


For a detailed advisory, download the pdf file here

Deep Panda, a Chinese APT group, took advantage of the well-known Log4Shell vulnerability in VMware Horizon servers to deploy a backdoor, rootkit, and steal sensitive data. This threat actor is primarily targeting firms in the finance, education, beauty, and tourist industries.

The attacks are carried out initially by exploiting Log4Shell (CVE-2021-44228) in the vulnerable VMware Horizon servers. These attacks launched a new PowerShell process that downloaded and executed a series of scripts, culminating in the installation of a Milestone backdoor. Milestone is intended to send information on the current system sessions to the remote server. During the attacks, a kernel rootkit called “Fire Chili” was discovered that was digitally signed with stolen certificates from game development companies, allowing it to avoid detection by security software.

The Mitre TTPs commonly used by Deep Panda are:

TA0042: Resource Development       
TA0001: Initial Access       
TA0002: Execution       
TA0003: Persistence     
TA0004: Privilege Escalation       
TA0005: Defense Evasion       
TA0007: Discovery       
TA0009: Collection       
TA0010: Exfiltration
TA0043: Reconnaissance
T1190: Exploit Public-Facing Application
T1041: Exfiltration Over C2 Channel
T1082: System Information Discovery
T1036: Masquerading
T1083: File and Directory Discovery
T1592: Gather Victim Host Information
T1014: Rootkit
T1620: Reflective Code Loading
T1113: Screen Capture
T1569.002: System Services: Service Execution
T1059.001: Command and Scripting Interpreter: PowerShell
T1027.002: Obfuscated Files or Information: Software Packing
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1588.003: Obtain Capabilities: Code Signing Certificates
T1574.002: Hijack Execution Flow: DLL Side-Loading

Actor Details


Vulnerability Details


Indicators of Compromise


Patch Links