Search results for panda malware campaign | Breaking Cybersecurity News | The Hacker News

The threat actor tracked as Mustang Panda has refined its malware arsenal to include new tools in order to facilitate data exfiltration and the deployment of next-stage payloads, according to new findings from Trend Micro. The cybersecurity firm, which is monitoring the activity cluster under the name Earth Preta, said it observed "the propagation of PUBLOAD via a variant of the worm HIUPAN." PUBLOAD is a known downloader malware linked to Mustang Panda since early 2022, deployed as part of cyber attacks targeting government entities in the Asia-Pacific (APAC) region to deliver the PlugX malware . "PUBLOAD was also used to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option," security researchers Lenart Bermejo, Sunny Lu, and Ted Lee said. Mustang Panda's use of re...

A China-linked threat actor known as Mustang Panda has been attributed to a new cyber espionage campaign directed against the Tibetan community. The spear-phishing attacks leveraged topics related to Tibet, such as the 9th World Parliamentarians' Convention on Tibet (WPCT), China's education policy in the Tibet Autonomous Region (TAR), and a recently published book by the 14th Dalai Lama, according to IBM X-Force. The cybersecurity division of the technology company said it observed the campaign earlier this month, with the attacks leading to the deployment of a known Mustang Panda malware called PUBLOAD . It's tracking the threat actor under the name Hive0154. The attack chains employ Tibet-themed lures to distribute a malicious archive containing a benign Microsoft Word file, along with articles reproduced by Tibetan websites and photos from WPCT, into opening an executable that's disguised as a document. The executable, as observed in prior Mustang Panda atta...

Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU). "The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used," Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week. The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay , a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It's also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls...

A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India. The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda , which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It's assessed to be active since at least 2012. "The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims," Kaspersky researcher Fatih Şensoy said in a deep-dive analysis. "These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests." This is not the first time Evasive Panda's DNS pois...

A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyber espionage campaign using a previously undocumented variant of the  PlugX  remote access trojan on infected machines. Slovak cybersecurity firm ESET dubbed the new version Hodur , owing to its resemblance to another PlugX (aka Korplug) variant called  THOR  that came to light in July 2021. "Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan)," ESET malware researcher Alexandre Côté Cyr  said  in a report shared with The Hacker News. "Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia." Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a  cyber espionage group  that's primarily known for targeting non-governmental organizations with...

The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024. The activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend Micro as Earth Freybug , which has been assessed to be a subset within the APT41 cyber espionage group. It's also monitored by Cybereason under the name  Operation CuckooBees , and by Symantec as Blackfly. APT41 has been described as a highly skilled and methodical actor with the ability to mount espionage attacks as well as poison the supply chain. Its campaigns are often designed with stealth in mind, leveraging a bevy of tactics to achieve its goals by using a custom toolset that not only bypasses security software installed in the environment, but also harvests critical information and establishes covert channels for persistent remote access. "The group...

The China-linked threat actor known as Mustang Panda has targeted various Asian countries using a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS. "The piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter," Trend Micro researchers Sunny Lu and Pierre Lee  said  in a new technical write-up. Targets of DOPLUGS have been primarily located in Taiwan, and Vietnam, and to a lesser extent in Hong Kong, India, Japan, Malaysia, Mongolia, and even China. PlugX is a staple tool of  Mustang Panda , which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416, and TEMP.Hex. It's known to be active since at least 2012, although it first came to light in 2017. The threat actor's tradecraft entails carrying out well-forged spear-phishing campaigns that a...

Security researchers have discovered a custom-built piece of malware that's wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems. Dubbed Operation PZChao , the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations in the government, technology, education, and telecommunications sectors in Asia and the United States. Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group— Iron Tiger . However, this campaign has evolved its payloads to drop trojan, conduct cyber espionage and mine Bitcoin cryptocurrency. The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, si...

Two China-linked advanced persistent threat (APT) groups have been observed targeting entities and member countries affiliated with the Association of Southeast Asian Nations (ASEAN) as part of a cyber espionage campaign over the past three months. This includes the threat actor known as  Mustang Panda , which has been recently linked to  cyber attacks against Myanmar  as well as other Asian countries with a variant of the PlugX (aka Korplug) backdoor dubbed  DOPLUGS . Mustang Panda, also called Camaro Dragon, Earth Preta, and Stately Taurus, is believed to have targeted entities in Myanmar, the Philippines, Japan and Singapore, targeting them with phishing emails designed to deliver two malware packages. "Threat actors created malware for these packages on March 4-5, 2024, coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024)," Palo Alto Networks Unit 42  said  in a report shared with The Hacker News. One of the malware package is a ZIP...

Google on Wednesday disclosed that the Chinese state-sponsored threat actor known as APT41 leveraged a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). The tech giant, which discovered the activity in late October 2024, said the malware was hosted on a compromised government website and was used to target multiple other government entities. "Misuse of cloud services for C2 is a technique that many threat actors leverage in order to blend in with legitimate activity," Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell said . APT41, also tracked as Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, RedGolf, Red Kelpie, TA415, Wicked Panda, and Winnti, is the name assigned to a prolific nation-state group known for its targeting of governments and organizations within the global shipping and logistics, media and entertainment, technology, and automotive sectors. In July 2024, Google reve...

The advanced persistent threat (APT) group referred to as  Evasive Panda  has been observed targeting an international non-governmental organization (NGO) in Mainland China with malware delivered via update channels of legitimate applications like Tencent QQ. The attack chains are designed to distribute a Windows installer for MgBot malware, ESET security researcher Facundo Muñoz said in a new report published today. The activity commenced in November 2020 and continued throughout 2021. Evasive Panda, also known as Bronze Highland and Daggerfly, is a Chinese-speaking APT group that has been attributed to a series of  cyber espionage attacks  targeting various entities in China, Hong Kong, and other countries located in East and South Asia since at least late December 2012. The group's hallmark is the use of the custom MgBot modular malware framework, which is capable of receiving additional components on the fly to expand on its intelligence-gathering capabiliti...

A new piece of malicious malware infection targeting jailbroken Apple iOS devices in an attempt to steal users' credentials, has been discovered by Reddit users. The Reddit Jailbreak community discovered the malicious infection dubbed as ' Unflod Baby Panda ', on some jailbroken Apple iOS devices on Thursday while a user noticed an unusual activity that the file was causing apps such as Snapchat and Google Hangouts to crash constantly on his jailbroken iPhone. CHINA WANTS YOUR APPLE ID & PASSWORDS Soon after the jailbroken developer uncovered the mysteries ' Unfold.dylib ' file and found that the infection targets jailbroken iOS handsets to captures Apple IDs and passwords from Internet sessions that use Secure Socket Layer (SSL) to encrypt communications and is believed to be spreading through the Chinese iOS software sites, according to the researchers at German security firm SektionEins . The researchers found that the captured login information is been sent ...

A months-long cyber espionage campaign undertaken by a Chinese nation-state group targeted several entities with reconnaissance malware so as to glean information about its victims and meet its strategic goals. "The targets of this recent campaign spanned Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea," enterprise security firm Proofpoint  said  in a published in partnership with PwC. Targets encompass local and federal Australian Governmental agencies, Australian news media companies, and global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea. Proofpoint and PwC attributed the intrusions with moderate confidence to a threat actor tracked by the two companies under the names TA423 and Red Ladon respectively, which is also known as APT40 and Leviathan. APT40 is the name designated to a China-based, espionage-motivated threat actor that's known to be active since 2013 and...

Cybersecurity researchers have shed more light on a remote access trojan (RAT) known as Deuterbear used by the China-linked  BlackTech  hacking group as part of a cyber espionage campaign targeting the Asia-Pacific region this year. "Deuterbear, while similar to Waterbear in many ways, shows advancements in capabilities such as including support for shellcode plugins, avoiding handshakes for RAT operation, and using HTTPS for C&C communication," Trend Micro researchers Pierre Lee and Cyris Tseng  said  in a new analysis. "Comparing the two malware variants, Deuterbear uses a shellcode format, possesses anti-memory scanning, and shares a traffic key with its downloader unlike Waterbear." BlackTech , active since at least 2007, is also tracked by the broader cybersecurity community under the monikers Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard. Cyber attacks orchestrated by the group have long involved the depl...

Organizations in Taiwan and a U.S. non-governmental organization (NGO) based in China have been targeted by a Beijing-affiliated state-sponsored hacking group called Daggerfly using an upgraded set of malware tools. The campaign is a sign that the group "also engages in internal espionage," Symantec's Threat Hunter Team, part of Broadcom, said in a new report published today. "In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware." Daggerfly, also known by the names Bronze Highland and Evasive Panda, was previously observed using the MgBot modular malware framework in connection with an intelligence-gathering mission aimed at telecom service providers in Africa. It's known to be operational since 2012. "Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption," the compan...

The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country.  The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as targeting various high-profile organizations in Southeast Asia since at least Oct...