APT group Earth Preta (aka Mustang Panda and Bronze President) has launched a new wave of large-scale spear-phishing campaigns. It is targeting multiple sectors worldwide with several malware families, including TONEINS, TONESHELL, and PUBLOAD.

The campaign

According to Trend Micro researchers, Earth Preta is targeting government, academic, foundations, and research sectors in Myanmar, Australia, the Philippines, Japan, Taiwan, and other Asia Pacific countries.
  • Active since March, it is sending spear-phishing emails using fake Google accounts. These emails deliver a malware-embedded malicious archive file through Google Drive links, Dropbox links, or other IP addresses hosting the files.
  • The archive file (such as rar/zip/jar) contains legitimate executables, as well as sideloaded DLLs. These files are indeed stolen documents from targeted organizations. Owners of Google Drive links and senders of the spear-phishing emails are the same.
  • The emails lure the targeted victims with subject headings pertaining to geopolitical discussions, regional affairs, and pornographic materials. It tricks them into downloading and executing TONEINS, TONESHELL, and PUBLOAD malware.

About the malware

  • First disclosed in May, PUBLOAD is a stager that can download the next-stage payload from its C2 server. Embedded with debug strings, PUBLOAD is capable of distracting analysts from the main infection routines.
  • TONESHELL is a shellcode loader and a standalone backdoor without any installer capabilities. It is obfuscated to slow down malware analysis and contains anti-sandbox and anti-analysis techniques.
  • TONEINS works as the installer for TONESHELL backdoors and it establishes the persistence for TONESHELL malware.

Researchers have found A, B, and C variants of TONESHELL that indicates it is evolving and becoming more capable.

Additional insights

  • Earth Preta uses code obfuscation and custom exception handlers for evading detection and analysis.
  • It uses stolen documents and familiar account names connected to specific organizations to lure the victims. It indicates that the attackers were able to conduct research and, potentially, prior breaches on the target organizations.
  • The names of the stolen files suggest it had breached the Embassy of the Republic of Myanmar, the Japan Society for the Promotion of Science (JSPS), and others.


Earth Preta is known to develop its own loaders in combination with existing tools such as PlugX and Cobalt Strike for compromise. The reuse of sensitive stolen documents as the entry vectors for the new wave of intrusions largely broadens the scope of the attacks. Its evolved TTPs indicate that it is constantly updating its toolsets and further expanding its capabilities.
Cyware Publisher