Search results for PANDA | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers are calling attention to malicious activity orchestrated by a China-nexus cyber espionage group known as Murky Panda that involves abusing trusted relationships in the cloud to breach enterprise networks. "The adversary has also shown considerable ability to quickly weaponize N-day and zero-day vulnerabilities and frequently achieves initial access to their targets by exploiting internet-facing appliances," CrowdStrike said in a Thursday report. Murky Panda, also known as Silk Typhoon (formerly Hafnium), is best known for its zero-day exploitation of Microsoft Exchange Server flaws in 2021. Attacks mounted by the hacking group have targeted government, technology, academic, legal, and professional services entities in North America. Earlier this March, Microsoft detailed the threat actor's shift in tactics, detailing its targeting of the information technology (IT) supply chain as a means to obtain initial access to corporate networks....

The China-linked threat actor known as Mustang Panda has been attributed to a cyber attack targeting an unspecified organization in Myanmar with previously unreported tooling, highlighting continued effort by the threat actors to increase the sophistication and effectiveness of their malware. This includes updated versions of a known backdoor called TONESHELL , as well as a new lateral movement tool dubbed StarProxy, two keyloggers codenamed PAKLOG, CorKLOG, and an Endpoint Detection and Response (EDR) evasion driver referred to as SplatCloak . "TONESHELL, a backdoor used by Mustang Panda, has been updated with changes to its FakeTLS command-and-control (C2) communication protocol as well as to the methods for creating and storing client identifiers," Zscaler ThreatLabz researcher Sudeep Singh said in a two-part analysis . Mustang Panda, also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, and RedDelta, is a China-aligned state-sponsored threat ...

In 2006, Li Jun, a Chinese man, was jailed for creating the ‘Fujacks’ worm. Recently, he appears to be attempting to rehabilitate his public image by making a donation to a panda research center in China. Li Jun was arrested in February 2007 and charged with writing and selling the "Panda Burning Joss Sticks" worm for approximately $13,000. Interestingly, Chinese police later convinced him to create a tool to repair the damage caused by the worm to infected users. The worm earned its nickname because it replaced file icons on infected PCs with the image of a stylized panda bear holding three joss sticks. Now, having been released from prison, Li Jun has reportedly donated 50,000 yuan ($7,500) to the Chengdu Research Giant Panda Breeding Center to support the care of a bear cub born there five months ago. China has a deep fascination with pandas, making this gesture a potential PR move. However, his team seemed to overextend this theme by claiming to the Xinhua news agen...

A threat actor tracked under the moniker Webworm is taking advantage of bespoke variants of already existing Windows-based remote access trojans to fly under the radar, some of which are said to be in pre-deployment or testing phases. "The group has developed customized versions of three older remote access trojans (RATs), including  Trochilus RAT ,  Gh0st RAT , and  9002 RAT ," the Symantec Threat Hunter team, part of Broadcom Software,  said  in a report shared with The Hacker News. The cybersecurity firm said at least one of the indicators of compromise (IOCs) was used in an attack against an IT service provider operating in multiple Asian countries. It's worth pointing out that all the three backdoors are primarily associated with Chinese threat actors such as Stone Panda (APT10), Aurora Panda (APT17), Emissary Panda (APT27), and Judgement Panda (APT31), among others, although they have been put to use by other hacking groups. Symantec said the Webworm...

A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India. The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda , which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It's assessed to be active since at least 2012. "The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims," Kaspersky researcher Fatih Şensoy said in a deep-dive analysis. "These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests." This is not the first time Evasive Panda's DNS pois...

In an effort to combat cyberterrorism in Brazil, Panda Security has signed an agreement to support the training of the Brazilian Army’s operational agents. These agents are engaged in the battle against internet-based crime and strategic intervention for cyber warfare. Panda Security will also provide endpoint protection for 37,500 computers belonging to the Army’s Military Commands. This protection aims to counter malware, targeted attacks, and web threats. Panda’s anti-malware lab, PandaLabs, will collaborate with the Army’s Cyber-Warfare Communication Center to train individuals involved in the scientific and forensic investigation of cybercrime. The partnership will include the exchange of malware samples, with Panda providing rapid response and classification of malicious codes impacting Brazil. Brig. Gen. Antonino dos Santos Guerra Neto stated that Brazil has approximately 60,000 computers, experiencing an average of 100 probes daily across its 12 IT c...

A notorious advanced persistent threat actor known as  Mustang Panda  has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world. The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro  said  in a Friday report.  Mustang Panda, also called Bronze President, Earth Preta, HoneyMyte, and Red Lich, is a China-based espionage actor believed to be active since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to collect data from compromised environments. Activities of the group chronicled by  ESET ,  Google, Proofpoint ,  Cisco Talos , and  Secureworks  this year have revealed the threat actor's pattern of using PlugX (and its variant called Hodur) to infect a wide range of entities in...

At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT). The attacks, codenamed " Twisted Panda ," come in the backdrop of Russia's military invasion of Ukraine, prompting a  wide range  of  threat actors  to swiftly adapt their campaigns on the ongoing conflict to distribute malware and stage opportunistic attacks. They have materialized in the form of social engineering schemes with topical war and sanctions-themed baits orchestrated to trick potential victims into clicking malicious links or opening weaponized documents. Israeli cybersecurity firm Check Point, which  disclosed  details of the latest intelligence-gathering operation, attributed it a Chinese threat actor, with connections to that of  Stone Panda  (aka  APT 10 , Cicada, or Potassium) and  Mustang Panda  (aka Bronze Pres...

Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints. The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government entities located across campaigns across Myanmar, Mongolia, Malaysia, and Russia. Kaspersky, which disclosed details of the updated malware, said it's deployed as a secondary backdoor along with PlugX and LuminousMoth infections. "COOLCLIENT was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules," the Russian cybersecurity company said . "These modules relied on DLL side-loading as their primary execution method, which required a legitimate signed executable to load a malicious DLL." Betwe...

The threat actor tracked as Mustang Panda has refined its malware arsenal to include new tools in order to facilitate data exfiltration and the deployment of next-stage payloads, according to new findings from Trend Micro. The cybersecurity firm, which is monitoring the activity cluster under the name Earth Preta, said it observed "the propagation of PUBLOAD via a variant of the worm HIUPAN." PUBLOAD is a known downloader malware linked to Mustang Panda since early 2022, deployed as part of cyber attacks targeting government entities in the Asia-Pacific (APAC) region to deliver the PlugX malware . "PUBLOAD was also used to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option," security researchers Lenart Bermejo, Sunny Lu, and Ted Lee said. Mustang Panda's use of re...

The threat actor known as Lotus Panda has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with updated versions of a known backdoor called Sagerunex . "Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite," Cisco Talos researcher Joey Chen said in an analysis published last week. Lotus Panda, also known as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, is a suspected Chinese hacking crew that's active since at least 2009. The threat actor was first exposed by Palo Alto Networks Unit 42 in June 2015 and later by Broadcom-owned Symantec three years later. In late 2022, Symantec detailed the threat actor's attack on a digital certificate authority as well as government and defense agencies located in different c...

Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU). "The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used," Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week. The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay , a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It's also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls...

A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyber espionage campaign using a previously undocumented variant of the  PlugX  remote access trojan on infected machines. Slovak cybersecurity firm ESET dubbed the new version Hodur , owing to its resemblance to another PlugX (aka Korplug) variant called  THOR  that came to light in July 2021. "Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan)," ESET malware researcher Alexandre Côté Cyr  said  in a report shared with The Hacker News. "Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia." Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a  cyber espionage group  that's primarily known for targeting non-governmental organizations with...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. "BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments," the agency said . "BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command-and-control." Written in Golang, the custom implant essentially gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-o...

A new China-linked cyber espionage group has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection. Cybersecurity company CrowdStrike is tracking the adversary under the name Liminal Panda , describing it as possessing deep knowledge about telecommunications networks, the protocols that undergird telecommunications, and the various interconnections between providers. The threat actor's malware portfolio includes bespoke tools that facilitate clandestine access, command-and-control (C2), and data exfiltration. "Liminal Panda has used compromised telecom servers to initiate intrusions into further providers in other geographic regions," the company's Counter Adversary Operations team said in a Tuesday analysis. "The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunicati...

The malicious scam campaign, " The 'HoeflerText' font wasn't found ," is back, which was previously targeting Google Chrome users to trick them into installing Spora ransomware on their computers. This time the campaign has been re-designed to target Mozilla Firefox users with a banking trojan, called Zeus Panda , says   Kafeine , a security researcher at Proofpoint. Interestingly, the attackers behind this new campaign are so stupid that they forgot to change the name of the font, i.e. HoeflerText, due to which can be easily spotted. As I previously warned — Next time when you accidentally land up on a suspicious website with jumbled content prompting to update the Firefox or Chrome font pack by downloading a missing text font to read the article… Just don't download it. It's obviously a trap. Just like the previous one, the latest Firefox 'HoeflerText font wasn't found scam is also very convincing and easy to fall for. The attack in...

A nation-state activity group originating from China has been linked to cyber attacks on dozens of organizations in Taiwan as part of a suspected espionage campaign. The Microsoft Threat Intelligence team is tracking the activity under the name  Flax Typhoon , which is also known as Ethereal Panda. "Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks," the company  said . It further said it hasn't observed the group weaponize the access to conduct data-collection and exfiltration. A majority of the targets include government agencies, educational institutions, critical manufacturing, and information technology organizations in Taiwan. A smaller number of victims have also been detected in Southeast Asia, North America, and Africa. The group is suspected to have been active si...

The Chinese nation-state group known as  Camaro Dragon  has been linked to yet another backdoor that's designed to meet its intelligence-gathering goals. Israeli cybersecurity firm Check Point, which  dubbed  the Go-based malware TinyNote, said it functions as a first-stage payload capable of "basic machine enumeration and command execution via PowerShell or Goroutines." What the malware lacks in terms of sophistication, it makes up for it when it comes to establishing redundant methods to retain access to the compromised host by means of multiple persistency tasks and varied methods to communicate with different servers. Camaro Dragon overlaps with a threat actor widely tracked as Mustang Panda, a state-sponsored group from China that is known to be active since at least 2012. The adversarial collective was recently in the spotlight for a custom bespoke firmware implant called  Horse Shell  that co-opts TP-Link routers into a mesh network capable of ...

The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest. The findings come from CrowdStrike, which is tracking the adversary under the name  Vanguard Panda . "The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement," the cybersecurity company  said . Volt Typhoon, as known as Bronze Silhouette, is a  cyber espionage group  from China that's been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations. "This adversary has been known to leverage credentials and living-off-the-land techniques to remain hidden and move quickly through targeted environments...

The China-linked Mustang Panda actor has been linked to a cyber attack targeting a Philippines government entity amid  rising tensions  between the two countries over the disputed South China Sea. Palo Alto Networks Unit 42 attributed the adversarial collective to three campaigns in August 2023, primarily singling out organizations in the South Pacific. "The campaigns leveraged legitimate software including Solid PDF Creator and SmadavProtect (an Indonesian-based antivirus solution) to sideload malicious files," the company  said . "Threat authors also creatively configured the malware to impersonate legitimate Microsoft traffic for command-and-control (C2) connections." Mustang Panda, also tracked under the names Bronze President, Camaro Dragon, Earth Preta, RedDelta, and Stately Taurus, is assessed to be a Chinese advanced persistent threat (APT) active since at least 2012,  orchestrating   cyber espionage   campaigns  targeting non-governmenta...