The China-based risk actor often called Mustang Panda has been noticed refining and retooling its ways and malware to strike entities positioned in Asia, the European Union, Russia, and the U.S.
“Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves,” Cisco Talos mentioned in a brand new report detailing the group’s evolving modus operandi.
The group is understood to have focused a variety of organizations since no less than 2012, with the actor primarily counting on email-based social engineering to achieve preliminary entry to drop PlugX, a backdoor predominantly deployed for long-term entry.
Phishing messages attributed to the marketing campaign include malicious lures masquerading as official European Union studies on the continuing battle in Ukraine or Ukrainian authorities studies, each of which obtain malware onto compromised machines.
Also noticed are phishing messages tailor-made to focus on varied entities within the U.S. and a number of other Asian international locations like Myanmar, Hong Kong, Japan, and Taiwan.
The findings observe a current report from Secureworks that the group could have been concentrating on Russian authorities officers utilizing a decoy containing PlugX that disguised itself as a report on the border detachment to Blagoveshchensk.
But comparable assaults detected in direction of the top of March 2022 present that the actors are updating their ways by lowering the distant URLs used to acquire totally different parts of the an infection chain.
Other than PlugX, an infection chains utilized by the APT group have concerned the deployment of customized stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of that are used to determine distant entry to their targets with the intention of conducting espionage and data theft.
“By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft,” Talos researchers mentioned.