The China-linked Mustang Panda actor has been linked to a cyber attack targeting a Philippines government entity amid rising tensions between the two countries over the disputed South China Sea.
Palo Alto Networks Unit 42 attributed the adversarial collective to three campaigns in August 2023, primarily singling out organizations in the South Pacific.
“The campaigns leveraged legitimate software including Solid PDF Creator and SmadavProtect (an Indonesian-based antivirus solution) to sideload malicious files,” the company said.
“Threat authors also creatively configured the malware to impersonate legitimate Microsoft traffic for command and control (C2) connections.”
Mustang Panda, also tracked under the names Bronze President, Camaro Dragon, Earth Preta, RedDelta, and Stately Taurus, is assessed to be a Chinese advanced persistent threat (APT) active since at least 2012, orchestrating cyber espionage campaigns targeting non-governmental organizations (NGOs) and government bodies across North America, Europe, and Asia.
In late September 2023, Unit 42 also implicated the threat actor to attacks aimed at an unnamed Southeast Asian government to distribute a variant of a backdoor called TONESHELL.
The latest campaigns leverage spear-phishing emails to deliver a malicious ZIP archive file that contains a rogue dynamic-link library (DLL) that’s launched using a technique called DLL side-loading. The DLL subsequently establishes contact with a remote server.
It’s assessed that the Philippines government entity was likely compromised over a five-day period between August 10 and 15, 2023.
The use of SmadavProtect is a known tactic adopted by Mustang Panda in recent months, having deployed malware expressly designed to bypass the security solution.
“Stately Taurus continues to demonstrate its ability to conduct persistent cyberespionage operations as one of the most active Chinese APTs,” the researchers said.
“These operations target a variety of entities globally that align with geopolitical topics of interest to the Chinese government.”
The disclosure comes as a South Korean APT actor named Higaisa has been uncovered targeting Chinese users through phishing websites mimicking well-known software applications such as OpenVPN.
“Once executed, the installer drops and runs Rust-based malware on the system, subsequently triggering a shellcode,” Cyble said late last month. “The shellcode performs anti-debugging and decryption operations. Afterward, it establishes encrypted command-and-control (C&C) communication with a remote Threat Actor (TA).”