CrowdStrike's detailed investigation into the VANGUARD PANDA threat actor's activities highlights sophisticated cyber intrusions targeting U.S.-based critical infrastructure entities, leveraging vulnerabilities in ManageEngine Self-service Plus and Apache Tomcat to gain and maintain access. The threat actor employed a variety of techniques, including the use of webshells, living-off-the-land tactics, and backdoored Apache Tomcat libraries for persistent access, while also attempting to hinder forensic analysis by clearing logs and deleting artifacts. The investigation revealed that VANGUARD PANDA left behind generated Java source and compiled Class files, providing key evidence of their activities. CrowdStrike's Falcon Complete managed detection and response team, in collaboration with Falcon OverWatch and CrowdStrike Intelligence, successfully identified, contained, and remediated the intrusion, while offering actionable recommendations to prevent future incidents. The company emphasizes the importance of proactive threat hunting and collaboration between its teams to protect clients against advanced adversaries, highlighting its commitment to cybersecurity excellence.