Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
RESOURCES TYPES
Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowFEBRUARY 26, 2026
LIMINAL PANDA, a suspected China-nexus cyber-espionage actor, has recently emerged as an active player in the global threat landscape. The group began operating around 2020 and has focused its intelligence collection on a range of high-value targets in East Asia, Southeast Asia, and Western nations engaged in research and development of advanced technologies, including semiconductors, defense technologies, and telecommunications. While not a well-known actor (yet) like APT41 or Mustang Panda, LIMINAL PANDA shows an accelerating trajectory of evolution in capabilities, experimenting with the convergence of more traditional phishing criminal enterprises with sophisticated cloud exploitation and supply chain compromise.
In many regards, LIMINAL PANDA’s operations reflect both China’s long-term strategy to target and acquire critical technological and defense knowledge from overseas sources. The targeting of chip and semiconductor development and artificial intelligence (AI) research lend support to Beijing’s long-term technological strategy for regional and global dominance of these markets through initiatives such as “Made in China 2025.” The evolution of LIMINAL PANDA’s campaigns also suggests an increasing focus on intellectual property compromise, but also investment in strategic (defense) espionage to compete with peer and near-peer nations in terms of technological innovation and geopolitical leverage.
The attribution strongly suggests sponsorship or at a minimum, considerable tolerance, from the Chinese state. The group’s targeting method and tool overlaps also seem to fit into established Chinese espionage clusters, especially Earth Lusca, Mustang Panda, and RedHotel. Analysts assess with moderate confidence that some aspects of LIMINAL PANDA are operating on behalf of a regional bureau of China’s Ministry of State Security (MSS).
The motivations for LIMINAL PANDA’s campaigns are as follows:
1. Strategic Technology Acquisition: Theft of semiconductor designs, data regarding semiconductor manufacturing, and research of advanced materials.
2. Defense and Intelligence Collection: Targeting information regarding military research and development (R&D), dual-use technologies, and defense procurement activities.
3. Regional Political Monitoring: Intention to gather intelligence regarding security collaboration and political relations regarding Taiwan and the Western allies in the Indo-Pacific region.
LIMINAL PANDA’s objectives in the semiconductor, and artificial intelligence (AI) sectors are clearly aligned to the broader industrial and military modernization objectives of China.
LIMINAL PANDA’s TTPs embody the hallmarks of contemporary Chinese cyber-espionage development, showing: prolonged duration, stealth, and leveraging legitimate services for obfuscation from detection. The group demonstrates a clear progression from utilizing spearphishing to soliticiting more sophisticated exploitation of cloud identity and supply chain compromise.
LIMINAL PANDA primarily gains initial access through targeted phishing campaigns masquerading as technology vendors or research associates. The group regularly delivers malicious PDF or ZIP files with dropper code to deploy variants of PlugX or ShadowPad malware. The group is also seen exploiting vulnerable VPN and Web servers approaches, or via compromising cloud environments and leveraging stolen authentication tokens.
After gaining access, LIMINAL PANDA maintains persistence by utilizing scheduled tasks, registry modification, and exploiting cloud permissions. Recent activity in 2024-2025 has been observed creating malicious Azure AD applications and service principals to maintain continued access, not dependent on footprints related to malware. The tactics utilized by the group demonstrate a strong preference for persistence tied to identity.
The C2 communications utilize encrypted HTTPS, with the occasional use of cloud services (Dropbox, OneDrive, Alibaba Cloud Object Storage). The mixing of malicious traffic with legitimate provides layers of obfuscation and aids in operational persistence for months.
This actor uses both custom and publicly available toolsets. They have used a number of well known tools, including:
LIMINAL PANDA leverages cloud APIs to exfiltrate data, frequently packaged as encrypted archives. This actor also routinely signs malicious binaries with stolen client certificates or self-signed certificates to remain undetected (i.e., bypass antivirus detection). This actor will also regularly clear logs for remediation purposes as it relates to operational tracks.
LIMINAL PANDA’s track records show a developing technical sophistication as well as an expanding geographic scope:
The success of these operations indicates the actor has a considerable capability to adapt quickly and exploit human and technical weaknesses persistently while maintaining a low operational noise.
LIMINAL PANDA’s evolution mirrors the wider modernization of Chinese cyber espionage. In its infancy, the group utilized commodity malware and traditional phishing strategies. But between 2023-2025, analysts observed a substantive shift towards:
These developments ultimately placed LIMINAL PANDA into a new generation of the spy units of China, prioritizing stealth and longevity of data acquisition vs. quick exploitation. The approaches were similar to Earth Lusca and RedGolf, but leaned heavily toward attention towards semiconductor and technology research.
The strategic implications of LIMINAL PANDA’s activity are significant. Semiconductor technology will play a central role in future defense systems, further AI innovations, and economic competition. In this targeted sector, the group enhances Beijing’s strategic objective of reducing imports and achieving technological self-sufficiency.
LIMINAL PANDA embodies the next generation of nimble, cloud-native Chinese espionage operations. While they are alimited long legacy groups such as APT10 or APT41, the ENC have been able to quickly embrace some of the latest techniques for exploiting both cloud identity systems, as well as the human layer of security. By targeting semiconductors, AI, and defense technologies, the ENC directly supports China’s strategic industrial ambitions and military modernization.
As we look to 2025, LIMINAL PANDA’s development points to an increased risk in cyber-espionage activities involving the targeting of both the advanced technology ecosystem. Their activity skims the surface of a future where cloud compromise, identify abuse, and supply chain intrusion replaces traditional malware as an espionage model, defending against these threats will not only require robust technical controls, but also an advanced understanding of the strategic motivations driving state-sponsored cyber operations in the 21st century.
You can download and review the sheet for all the details!
Take control of your digital security with an exclusive demo of our powerful threat management platform.
