Deep Panda, a China-based threat group, was found targeting VMware Horizon servers with the Log4Shell exploit. The attacks have been observed deploying a novel rootkit named Fire Chili.

What has happened?

Researchers from Fortinet have discovered a Deep Panda campaign using the Fire Chili rootkit.
  • The rootkit is signed digitally with stolen certificates from Frostburn Studios and Comodo to stay undetected.
  • The goal behind these attacks seems to be cyberespionage where attackers steal sensitive information.

About the rootkit

Fire Chili helps keep file operations, registry key additions, processes, and malicious network connections concealed from the user and security software running on the targeted machine.
  • Upon launching, the rootkit performs some basic tests to make sure it's not running in a simulated environment, ensuring that the kernel structures/objects to be abused during the operation are present.
  • The supported operating system version for Fire Chili is Windows 10 Creators Update, (released in April 2017). 
  • The rootkit uses dynamically configurable IOCTLs (input/output control system calls) for the hiding function.

A connection to Winnti

When the researchers looked into the recent Deep Panda campaign, they discovered various overlaps with Winnti, a Chinese group known for abusing digitally signed certificates.


Deep Panda seems to be highly active these days and uses a Windows-based novel rootkit - Fire Chili. The rootkit uses a unique code base, different from previously affiliated tools with the group. This indicates that its operators are looking forward to enhancing their capabilities.
Cyware Publisher