Mustang Panda has been launching phishing campaigns against European and Russian entities. The China-based group seems to be active since the Russian invasion of Ukraine and uses relevant news to lure its victims.

A new wave of attacks

Since February, Mustang Panda has been observed targeting European Union, the U.S., Asia, and Russian entities.
  • The gang is primarily using topical lures and social engineering to fool victims into infecting themselves. Some of the phishing messages included lures pretending to be official European Union reports on the ongoing conflict in Ukraine and its effects on NATO countries.
  • In some cases, the group has used summit- and conference-themed lures in Asia and Europe, and aims to gain as much long-term access to carry out espionage and information theft operations.
  • Further, Mustang Panda has been using political themes to propagate PlugX malware as well.

Technical details

A general infection chain used by Mustang Panda includes three key components—Benign executable, Malicious DLL (loader), PlugX implant—and stagers and reverse shells.
  • Additionally, Mustang Panda infections deploy bespoke stagers that download additional shellcodes from a remote location that would be deployed on the compromised endpoint.
  • Another type of stager used, in late 2021, was DLL-based implants that decode and run Meterpreter reverse-HTTP payloads for downloading and running more payloads from the C2.
The group has regularly evolved its delivery mechanisms, including malicious archives, shortcut files, maldocs, and more recently, downloaders.

What to do?

Experts suggest in-depth defense strategies, using a risk analysis approach to deliver the best protection against threat groups such as Mustang Panda. Further, organizations are recommended to use incident response plans that are reviewed and improved every time by a real cyber event.
Cyware Publisher