21 November 2022

Chinese cyber spies target governments, research sectors worldwide


Chinese cyber spies target governments, research sectors worldwide

A China-linked cyber-espionage group has launched a series of spear-phishing attacks on the government, academic, foundations, and research sectors across the world.

Known as Mustang Panda, Earth Preta, or Bronze President, the threat is believed to have been conducting cyber operations since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to steal data from compromised environments.

In the most recent campaign, which has been going on since March 2022, Mustang Panda has been targeting entities in the countries all over the globe, including Myanmar, Australia, the Philippines, Japan and Taiwan. The attacks involve spear-phishing emails spread through fake Google accounts.

When opened, the archive files display a lure document to the victim, while loading the malware in the background using the DLL side-loading technique. This ultimately leads to the delivery of the PUBLOAD stager, the TONEINS trojan (acts as an installer TONESHELL), and the TONESHELL backdoor, which supports various functions, including file upload, file download, file execution, and lateral movement.

“In addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts,” Trend Micro researchers wrote.

Trend Micro notes that Mustang Panda is constantly updating its toolsets and further expanding its capabilities, with the group’s main objective being the countries in Asia.

Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024