article featured image


State-backed Chinese hackers started a spear phishing attempt to spread personalized malware stored in Google Drive to international governmental, academic, and scientific institutions.

The attacks were observed between March and October 2022, and researchers attributed the actions to the cyber espionage group Mustang Panda (Bronze President, TA416). The majority of the organizations the threat group targeted were in Australia, Japan, Taiwan, Myanmar, and the Philippines.

Details on the Attack

The Chinese threat group used Google accounts to send luring emails to their targets, tricking them into downloading custom malware from Google Drive links. Researchers found that Mustang Panda used messages with geopolitical subjects, with 84% targeting governmental/legal organizations.

The embedded link directed the target to a Google Drive or Dropbox folder, two legitimate platforms perceived as less suspicious. These links direct you to download RAR, ZIP, and JAR compressed files that include ToneShell, ToneIns, and PubLoad-specific malware variants.

The procedure typically involved DLL side-loading once the victim started an executable contained in the archives, despite the fact that the hackers used a variety of malware-loading routines.

PubLoad, ToneIns, and ToneShell

These are the three malware strains that have been spread throughout the spear phishing campaign. Out of the three, the only one previously documented is PubLoad, which was previously used in campaigns targeting European organizations.

PubLoad is a stager responsible for creating persistence by adding registry keys and setting up scheduled activities, as well as handing C2 (command and control) communications.

The primary backdoor utilized in the most recent campaign, ToneShell, has an installer called ToneIns. It loads ToneShell while avoiding detection and creating persistence on the hacked system by using obfuscation.

ToneShell is a standalone backdoor that is loaded directly into memory and has code flow obfuscation capabilities through the use of unique exception handler implementation.

A Look at Mustang Panda

The threat group has been particularly active in the last months. The most recent effort demonstrates indicators of an enhanced toolkit and capacity for growth, which boosts the Chinese hackers’ capacity to gather information and compromise targets.

It was reported earlier this year that the Chinese group would be focusing its operations in Europe, targeting high-ranking diplomats. Also, in that period, another campaign of the group was spotted targeting Russian officials.

Researchers looked into Mustang Panda’s operations in March 2022 in Southeast Asia, South Europe, and Africa, showing that the Chinese spy gang is a global threat despite having brief bursts of concentrated activity.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

Leave a Reply

Your email address will not be published. Required fields are marked *