Recent reports reveal that the Mustang Panda hacking group, linked to China, has executed a cyberattack aimed at a government entity in the Philippines. This incident occurs amidst escalating tensions between the Philippines and China concerning territorial disputes in the South China Sea, highlighting the geopolitical implications of cybersecurity in the region.
Palo Alto Networks’ Unit 42 has traced the activities of this threat actor to three distinct campaigns conducted in August 2023, which specifically targeted organizations operating in the South Pacific. The attackers employed legitimate software—specifically Solid PDF Creator and SmadavProtect, an antivirus solution based in Indonesia—to execute a technique known as side-loading. This method involves incorporating malicious files within seemingly benign applications, making detection more difficult.
Furthermore, the threat actors configured their malware to masquerade as legitimate Microsoft traffic for command-and-control (C2) connections, enhancing their obfuscation tactics. This dual-layered strategy showcases their sophisticated approach to cyber espionage, as emphasized by Palo Alto Networks.
Mustang Panda, known by other names including Bronze President and Stately Taurus, has been recognized as a persistent advanced persistent threat (APT) since at least 2012. This group has been involved in various cyber-espionage campaigns against non-governmental organizations (NGOs) and government bodies across North America, Europe, and Asia. The recent activities suggest a continuation of this trend, particularly against Southeast Asian targets.
In late September 2023, additional insights from Unit 42 indicated that Mustang Panda was involved in attacks against an unnamed Southeast Asian government, utilizing a variant of a backdoor known as TONESHELL. The latest campaigns have been characterized by spear-phishing emails designed to deliver malicious ZIP files that contain compromised dynamic-link libraries (DLLs). This DLL is executed through a technique called DLL side-loading, which allows the malware to initiate communication with remote servers post-infection.
The intelligence suggests that the Philippine government entity affected was likely compromised over a five-day window, from August 10 to August 15, 2023. Notably, the use of the SmadavProtect software represents a recognizable tactic for Mustang Panda, as recent malware deployments have been specifically crafted to bypass this security solution.
The capability of Stately Taurus to conduct ongoing cyber-espionage operations reinforces its status as one of the most active Chinese APT groups. Such operations target a diverse array of organizations that align with topics of geopolitical interest to the Chinese government, further complicating the cybersecurity landscape in the region.
This unfolding scenario parallels a separate finding involving a South Korean APT named Higaisa, which has been targeting Chinese users through phishing sites that imitate popular software applications, like OpenVPN. After execution, the installer drops Rust-based malware that initiates encrypted communications with remote threat actors, illustrating the evolving nature of cybersecurity threats across national boundaries.
