A China-based cyber espionage group, known as Mustang Panda, has been identified using new malware tools, FDMTP and PTSOCKET, in recent attacks to infiltrate government networks and steal sensitive data.
The group, also referred to as HoneyMyte, Bronze President, Earth Preta, Polaris, or Stately Taurus, has shifted to new strategies, focusing primarily on cyber-espionage against government and non-government organizations, mostly in the Asia-Pacific region, but also targeting entities worldwide.
The group’s attacks traditionally start with spear-phishing emails. However, a recent report reveals that Mustang Panda is now employing a variant of the HIUPAN worm to spread the PUBLOAD malware across networks via infected removable drives. The HIUPAN worm disguises itself by moving its files into a hidden directory, leaving only a deceptive file named “USBConfig.exe” visible to trick users into executing it.
PUBLOAD serves as the main malware tool in these attacks. It infiltrates the target system through DLL side-loading, establishes persistence by modifying the Windows Registry, and performs reconnaissance to map the network.
Alongside PUBLOAD, Mustang Panda has introduced a new malware called FDMTP, embedded in the data section of a DLL and also deployed using DLL side-loading techniques.
Researchers indicate that the group’s recent data collection focuses on documents such as .DOC, .DOCX, .XLS, .XLSX, .PDF, and .PPT files, often saved in RAR archives and collected from specified dates. The stolen data is exfiltrated using the cURL tool via PUBLOAD, although the attackers also use a custom file transfer tool named PTSOCKET, based on the TouchSocket protocol over DMTP.
In June, the group was observed executing a rapid spear-phishing campaign to deploy the DOWNBAIT downloader, which retrieves decoy documents and executes the PULLBAIT malware in memory.
This is followed by the deployment of a first-stage backdoor named CBROVER, which is digitally signed to avoid detection. The hackers also used PLUGX malware to introduce additional tools like FILESAC, which collects various document files, including .DOC, .XLS, .PDF, .DWG, .PPTX, and .DOCX, and exfiltrates them.
The group has also been seen using cloud services for data exfiltration, such as Google Drive, and is suspected of abusing Microsoft OneDrive, although the specific tools used remain unidentified. The report highlights that Mustang Panda, tracked as Earth Preta, continues to evolve its malware tactics, with significant advancements in deploying malicious tools in highly targeted campaigns aimed at government entities, including military, police, foreign affairs, welfare departments, and educational institutions in the APAC region.
To defend against such sophisticated attacks, organizations should prioritize strengthening their cybersecurity posture by implementing multi-layered security controls, including advanced threat detection tools, regular system updates, and employee training programs to recognize phishing attempts.
Employing strong endpoint protection and monitoring for unusual network activity, particularly around removable drives and external storage devices, can help detect and mitigate threats before they infiltrate critical systems.