Close Menu
World Forbes – Business, Tech, AI & Global Insights
  • Home
  • AI
  • Billionaires
  • Business
  • Cybersecurity
  • Education
    • Innovation
  • Money
  • Small Business
  • Sports
  • Trump
What's Hot

Foreign universities hope to lure scientists from the US after Trump research cuts

May 25, 2025

Meet Hercules and Ned, the border collies fending off wildlife at West Virginia’s busiest airport

May 25, 2025

Texas is closer to putting the Ten Commandments in classrooms after a key vote

May 24, 2025
Facebook X (Twitter) Instagram
Trending
  • Foreign universities hope to lure scientists from the US after Trump research cuts
  • Meet Hercules and Ned, the border collies fending off wildlife at West Virginia’s busiest airport
  • Texas is closer to putting the Ten Commandments in classrooms after a key vote
  • An Oregon man who quit his job to set sail with his cat arrives to cheering fans in Hawaii
  • First class graduates from American University of Baghdad, once Saddam’s palace
  • You should wear sunscreen even if you have darker skin. Here’s why
  • Only 900 speakers of the Sanna language remain. Now Cyprus’ Maronites are mounting a comeback
  • US Steel shares soar on Trump’s apparent blessing for deal with Nippon | Business and Economy News
World Forbes – Business, Tech, AI & Global InsightsWorld Forbes – Business, Tech, AI & Global Insights
Sunday, May 25
  • Home
  • AI
  • Billionaires
  • Business
  • Cybersecurity
  • Education
    • Innovation
  • Money
  • Small Business
  • Sports
  • Trump
World Forbes – Business, Tech, AI & Global Insights
Home » Chinese APT Mustang Panda Updates, Expands Arsenal
Cybersecurity

Chinese APT Mustang Panda Updates, Expands Arsenal

adminBy adminApril 17, 2025No Comments3 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email
Post Views: 29


The Chinese espionage-focused APT tracked as Mustang Panda has used an updated backdoor and several new tools in a recent attack, cybersecurity firm Zscaler reports.

Active for over a decade, the state-sponsored hacking group, also tracked as Basin, Bronze President, Earth Preta, and Red Delta, is known for targeting government and military entities, as well as NGOs and minority groups, mainly in East Asia, but also in Europe.

The threat actor has been observed using Windows zero-days in attacks, and is believed to have infected over 4,000 computers in the US with the PlugX RAT. In January, the FBI and French law enforcement used the malware’s self-delete mechanism to erase it from the infected machines.

As part of a recently observed attack against an organization in Myanmar, Mustang Panda deployed an updated version of their ToneShell backdoor, along with a new tool dubbed StarProxy, the Paklog and Corklog keyloggers, and the SplatCloak EDR evasion driver.

The APT is relying on DLL sideloading to execute its malicious payloads and evade detection, deploying all tools as libraries within archives that also contain a vulnerable executable to load them, Zscaler notes.

ToneShell, one of the most frequently used tools in Mustang Panda’s arsenal, is a second-stage backdoor that supports file manipulation and the execution of additional payloads.

Three new variants of the backdoor, identified on a staging server and through a third-party malware repository, mainly focus on payload execution and feature an updated FakeTLS command-and-control (C&C) communication protocol to evade network-based detection.

StarProxy, a new Mustang Panda tool used for lateral movement, was designed to proxy traffic between infected hosts and a C&C server, using TCP sockets over the FakeTLS protocol.

Advertisement. Scroll to continue reading.

“Given the features of the malware, and the use of command-line arguments, Mustang Panda likely uses StarProxy as a post-compromise tool to access systems that are not reachable directly over the Internet,” Zscaler notes.

The Paklog keylogger relies on high-level Windows APIs for log keystrokes and monitor the clipboard. The collected information is stored locally, as the keylogger lacks exfiltration capabilities, Zscaler explains in a technical blog post.

The Corklog keylogger stores harvested data in an encrypted file and establishes persistence by creating services or scheduled tasks on the system.

Deployed using the SplatDropper utility, the SplatCloak driver was designed to identify and disable Windows Defender and Kaspersky security software. It can also remove notification hooks and callbacks associated with these defense products, and dynamically resolves Windows API functions.

“Tool overlap—particularly the inclusion of ToneShell—strongly links Mustang Panda to this activity. Additionally, technical overlaps in newly discovered tools align with prior Mustang Panda malware, including techniques such as control flow flattening, mixed boolean arithmetic, and RC4 encryption, which are hallmark features of Mustang Panda’s customized PlugX variant,” Zscaler notes.

Related: Chinese Cyberspy Possibly Launching Ransomware Attacks as Side Job

Related: Cyber Assault on Asian Telecoms Traced to Chinese State Hackers

Related: Chinese Cyberspies Targeting ASEAN Entities

Related: Over 200 Organizations Targeted in Chinese Cyberespionage Campaign



Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
admin
  • Website

Related Posts

O2 Service Vulnerability Exposed User Location

May 20, 2025

Madhu Gottumukkala Officially Announced as CISA Deputy Director

May 20, 2025

BreachRx Lands $15 Million as Investors Bet on Breach-Workflow Software

May 19, 2025

Printer Company Procolored Served Infected Software for Months

May 19, 2025

UK Legal Aid Agency Finds Data Breach Following Cyberattack

May 19, 2025

480,000 Catholic Health Patients Impacted by Serviceaide Data Leak

May 19, 2025
Add A Comment
Leave A Reply Cancel Reply

Don't Miss
Billionaires

Apple Design Guru Jony Ive To Become A Billionaire Thanks To OpenAI

May 23, 2025

Longtime Apple designer Jony Ive holds more than 12,000 patents related to the user interface…

This Puzzling Metaverse Company Just Renamed Itself Napster

May 22, 2025

This Trump Building Appears To Be Deeply Underwater

May 21, 2025

Elon Musk Will Stay Tesla CEO For Next Five Years And Cut Political Spending

May 20, 2025
Our Picks

Foreign universities hope to lure scientists from the US after Trump research cuts

May 25, 2025

Meet Hercules and Ned, the border collies fending off wildlife at West Virginia’s busiest airport

May 25, 2025

Texas is closer to putting the Ten Commandments in classrooms after a key vote

May 24, 2025

An Oregon man who quit his job to set sail with his cat arrives to cheering fans in Hawaii

May 24, 2025

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

About Us
About Us

Welcome to World-Forbes.com
At World-Forbes.com, we bring you the latest insights, trends, and analysis across various industries, empowering our readers with valuable knowledge. Our platform is dedicated to covering a wide range of topics, including sports, small business, business, technology, AI, cybersecurity, and lifestyle.

Our Picks

After Klarna, Zoom’s CEO also uses an AI avatar on quarterly call

May 23, 2025

Anthropic CEO claims AI models hallucinate less than humans

May 22, 2025

Anthropic’s latest flagship AI sure seems to love using the ‘cyclone’ emoji

May 22, 2025

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

Facebook X (Twitter) Instagram Pinterest
  • Home
  • About Us
  • Advertise With Us
  • Contact Us
  • DMCA Policy
  • Privacy Policy
  • Terms & Conditions
© 2025 world-forbes. Designed by world-forbes.

Type above and press Enter to search. Press Esc to cancel.