8.9 C
New York
Friday, December 1, 2023

Mustang Panda Hackers Targets Philippines Authorities Amid South China Sea Tensions

Nov 21, 2023NewsroomCyber Assault / Cyber Espionage

Mustang Panda Hackers

The China-linked Mustang Panda actor has been linked to a cyber assault focusing on a Philippines authorities entity amid rising tensions between the 2 international locations over the disputed South China Sea.

Palo Alto Networks Unit 42 attributed the adversarial collective to 3 campaigns in August 2023, primarily singling out organizations within the South Pacific.

“The campaigns leveraged reputable software program together with Strong PDF Creator and SmadavProtect (an Indonesian-based antivirus resolution) to sideload malicious recordsdata,” the corporate stated.

“Risk authors additionally creatively configured the malware to impersonate reputable Microsoft visitors for command and management (C2) connections.”


Mustang Panda, additionally tracked below the names Bronze President, Camaro Dragon, Earth Preta, RedDelta, and Stately Taurus, is assessed to be a Chinese language superior persistent risk (APT) energetic since no less than 2012, orchestrating cyber espionage campaigns focusing on non-governmental organizations (NGOs) and authorities our bodies throughout North America, Europe, and Asia.

In late September 2023, Unit 42 additionally implicated the risk actor to assaults aimed toward an unnamed Southeast Asian authorities to distribute a variant of a backdoor known as TONESHELL.

The most recent campaigns leverage spear-phishing emails to ship a malicious ZIP archive file that accommodates a rogue dynamic-link library (DLL) that is launched utilizing a method known as DLL side-loading. The DLL subsequently establishes contact with a distant server.

It is assessed that the Philippines authorities entity was probably compromised over a five-day interval between August 10 and 15, 2023.

The usage of SmadavProtect is a recognized tactic adopted by Mustang Panda in latest months, having deployed malware expressly designed to bypass the safety resolution.


“Stately Taurus continues to reveal its capacity to conduct persistent cyberespionage operations as one of the vital energetic Chinese language APTs,” the researchers stated.

“These operations goal a wide range of entities globally that align with geopolitical subjects of curiosity to the Chinese language authorities.”

The disclosure comes as a South Korean APT actor named Higaisa has been uncovered focusing on Chinese language customers by means of phishing web sites mimicking well-known software program purposes similar to OpenVPN.

“As soon as executed, the installer drops and runs Rust-based malware on the system, subsequently triggering a shellcode,” Cyble stated late final month. “The shellcode performs anti-debugging and decryption operations. Afterward, it establishes encrypted command-and-control (C&C) communication with a distant Risk Actor (TA).”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.

Related Articles

Latest Articles