Liminal Panda

Liminal Panda is a China-nexus cyber espionage threat actor focused on telecommunications and related critical infrastructure. The actor is also tracked as CL-STA-0969 and Pepper Typhoon. Reporting cited in the content states that CL-STA-0969 heavily overlaps with activity CrowdStrike began tracking in 2024 as Liminal Panda, and Palo Alto Networks assessed the activity with high confidence as associated with a nation-state nexus and connected to Beijing. CrowdStrike assessed with low confidence that Liminal Panda had a connection to official Chinese hacking operations. The group is known for compromising telecom operator networks to collect subscriber information, call metadata, SMS messages, and location-related data, and has been described as having a deep understanding of mobile protocols. Victim sectors mentioned in the content include telecommunications organizations and telecom infrastructure in Southeast Asia, Southwest Asia, South Asia, Africa, Latin America, and the EU telecommunications sector; additional targeting mentioned includes government agencies and military entities in Latin America. Observed activity from February to November 2024 targeted mobile telecom networks in Southeast Asia and critical telecommunications infrastructure in Southwest Asia. Initial access was assessed as likely originating from SSH brute-force attacks using username and password dictionaries tailored for telecommunications equipment. The actor then deployed custom and public tooling, maintained persistent access, and emphasized stealth and operational security. Reported defense evasion and OPSEC measures included process-name masquerading, timestomping, DNS tunneling, routing traffic through compromised mobile operators, clearing authentication logs, and weakening or disabling SELinux by setting permissive mode. Tooling and malware associated in the content with CL-STA-0969/Liminal Panda include CordScan, NoDepDNS, AuthDoor, GTPDoor, EchoBackdoor, ChronosRAT (also called MystRodX), an SGSN emulator, Microsocks, FRP, FScan, and Responder. CordScan is described as a custom network scanning and packet-capture utility capable of capturing common mobile telecom communication protocols, including SGSN, and as being associated with collecting mobile location-related data. NoDepDNS tunnels communications over port 53. AuthDoor is described as a PAM backdoor that captures credentials and supports persistent access. GTPDoor tunnels command-and-control over GTP-C signaling. EchoBackdoor uses ICMP echo traffic for command execution. ChronosRAT/MystRodX is described as a modular Linux backdoor with AES-encrypted configuration and support for passive wake-up via crafted DNS or ICMP packets. The content also notes overlap with activity previously attributed to LightBasin, and states that as of October 2025 CrowdStrike updated its findings and attributed intrusions previously attributed to LightBasin to Liminal Panda instead. Related overlaps mentioned in the content include LightBasin, UNC1945, UNC2891, and UNC3886.