21 November 2022

Chinese cyber spies target governments, research sectors worldwide


Chinese cyber spies target governments, research sectors worldwide

A China-linked cyber-espionage group has launched a series of spear-phishing attacks on the government, academic, foundations, and research sectors across the world.

Known as Mustang Panda, Earth Preta, or Bronze President, the threat is believed to have been conducting cyber operations since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to steal data from compromised environments.

In the most recent campaign, which has been going on since March 2022, Mustang Panda has been targeting entities in the countries all over the globe, including Myanmar, Australia, the Philippines, Japan and Taiwan. The attacks involve spear-phishing emails spread through fake Google accounts.

When opened, the archive files display a lure document to the victim, while loading the malware in the background using the DLL side-loading technique. This ultimately leads to the delivery of the PUBLOAD stager, the TONEINS trojan (acts as an installer TONESHELL), and the TONESHELL backdoor, which supports various functions, including file upload, file download, file execution, and lateral movement.

“In addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts,” Trend Micro researchers wrote.

Trend Micro notes that Mustang Panda is constantly updating its toolsets and further expanding its capabilities, with the group’s main objective being the countries in Asia.

Back to the list

Latest Posts

Microsoft: Russia combines missile and cyberattacks in Ukraine

Microsoft: Russia combines missile and cyberattacks in Ukraine

In parallel with cyber threat activity Russia would likely conduct influence operations targeting Europe to undermine military and humanitarian assistance to Ukraine.
5 December 2022
Spanish police dismantle 'Black Panthers' SIM swap group

Spanish police dismantle 'Black Panthers' SIM swap group

The scammers stole about €250,000 from nearly 100 victims.
5 December 2022
Google releases emergency security update to fix Chrome zero-day bug

Google releases emergency security update to fix Chrome zero-day bug

With the new update the tech giant fixed the ninth Chrome zero-day since the start of 2022.
5 December 2022