
The China-aligned Mustang Panda actor has been observed using a hitherto unseen custom backdoor called MQsTTang as part of an ongoing social engineering campaign that commenced in January 2023. "Unlike most of the group's malware, MQsTTang doesn't seem to be based on existing families or publicly available projects," ESET researcher Alexandre Côté Cyr said in a new report. Attack chains orchestrated by the group have stepped up targeting of European entities in the wake of Russia's full-scale invasion of Ukraine last year. The victimology of the current activity is unclear, but the Slovak cybersecurity company said the decoy filenames are in line with the group's previous campaigns that target European political organizations. That said, ESET also observed attacks against unknown entities in Bulgaria and Australia, as well as a governmental institution in Taiwan, indicating focus on Europe and Asia. Mustang Panda has a history of using a remote access trojan dubbed PlugX for achieving its objectives, although recent intrusions have seen the group expanding its malware arsenal to include custom tools like TONEINS, TONESHELL, and PUBLOAD. In December 2022, Avast disclosed another set of attacks aimed at government agencies and political NGOs in Myanmar that led to the exfiltration of sensitive data, including email dumps, files, court hearings, interrogation reports, and meeting transcripts, using a PlugX variant called Hodur and a Google Drive uploader utility.
ESET's new report has shed light on the Mustang Panda actor's use of a previously unseen backdoor called MQsTTang. The backdoor is part of an ongoing social engineering campaign that commenced in January 2023. Alexandre Côté Cyr, the ESET researcher who authored the report, said: "Unlike most of the group's malware, MQsTTang doesn't seem to be based on existing families or publicly available projects."
The group's attack chains have been targeting European entities more frequently since Russia's full-scale invasion of Ukraine last year. It is unclear who the current victims of the campaign are, but the decoy filenames used by the group are similar to those used in previous campaigns targeting European political organizations. That said, ESET has also observed attacks against entities in Bulgaria, Australia, and Taiwan. This indicates that the group has a focus on both Europe and Asia.
Mustang Panda has primarily used a remote access trojan called PlugX in the past to achieve its objectives. However, recent intrusions have seen the group expand its malware arsenal to include custom tools like TONEINS, TONESHELL, and PUBLOAD. In December 2022, Avast disclosed another set of attacks aimed at government agencies and political NGOs in Myanmar. These attacks led to the exfiltration of sensitive data, including email dumps, files, court hearings, interrogation reports, and meeting transcripts. The PlugX variant called Hodur and a Google Drive uploader utility were used in these attacks.