Mustang Panda

A notorious advanced persistent threat actor known as Mustang Panda has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world.

The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro said in a Friday report.

Mustang Panda, also called Bronze President, Earth Preta, HoneyMyte, and Red Lich, is a China-based espionage actor believed to be active since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to collect data from compromised environments.


Activities of the group chronicled by ESET, Google, Proofpoint, Cisco Talos, and Secureworks this year have revealed the threat actor's pattern of using PlugX (and its variant called Hodur) to infect a wide range of entities in Asia, Europe, the Middle East, and the Americas.

The latest findings from Trend Micro show that Mustang Panda continues to evolve its tactics in a strategy to evade detection and adopt infection routines that lead to the deployment of bespoke malware families like TONEINS, TONESHELL, and PUBLOAD.

Mustang Panda

"Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as RAR/ZIP/JAR) and distributed through Google Drive links," researchers Nick Dai, Vickie Su, and Sunny Lu said.

Initial access is facilitated through decoy documents that cover controversial geopolitical themes to entice the targeted organizations into downloading and triggering the malware.

In some cases, the phishing messages were sent from previously compromised email accounts belonging to specific entities, indicating the efforts undertaken by the Mustang Panda actor to increase the likelihood of the success of its campaigns.


The archive files, when opened, are designed to display a lure document to the victim, while stealthily loading the malware in the background through a method referred to as DLL side-loading.

The attack chains ultimately lead to the delivery of three malware families – PUBLOAD, TONEINS, and TONESHELL – which are capable of downloading next-stage payloads and flying under the radar.

TONESHELL, the main backdoor used in the attacks, is installed through TONEINS and is a shellcode loader, with an early version of the implant detected in September 2021, suggesting continued efforts on part of the threat actor to update its arsenal.

"Earth Preta is a cyber espionage group known to develop their own loaders in combination with existing tools like PlugX and Cobalt Strike for compromise," the researchers concluded.

"Once the group has infiltrated a targeted victim's systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.