In a significant enhancement of its cyber capabilities, the Chinese state-sponsored hacking group known as Mustang Panda has reportedly developed or upgraded various malware tools. This move signals a strategic refresh of their arsenal, alerting cybersecurity defenders of potential threats. Mustang Panda, also referred to as Bronze President or TA416, has a history of conducting espionage against military and governmental organizations, NGOs, and corporations across East and Southeast Asia and beyond.
Recently, the group targeted an organization in Myanmar, prompting researchers from Zscaler to discover four previously unknown attack tools that the group has incorporated into its operations. This includes new keyloggers and other utilities designed to enhance their malicious activities. Notably, the group’s infamous backdoor tool, ToneShell, has also been upgraded to improve its functionality.
Mustang Panda’s innovative approach to malware delivery continues to evolve. While they have historically employed unique tactics and techniques, their latest operations reflect a common Chinese method of sideloading Dynamic Link Libraries (DLLs). However, the group has gone a step further by developing a new suite of proprietary malware tools, which includes keyloggers PAKLOG and CorKLOG. These tools are aimed at capturing sensitive data without automated command-and-control capabilities, potentially enabling attackers to manually exfiltrate information.
To facilitate lateral network movement post-compromise, Mustang Panda has introduced new tools such as StarProxy, which allows a compromised system to infect multiple other machines within a network. Additionally, the group employs a driver known as SplatCloak to disable security software like Windows Defender and Kaspersky, which may prevent detection of their malicious activities. These developments indicate a calculated effort by Mustang Panda to enhance their operational security and extend their attack efficacy.