Chinese cyberespionage group Mustang Panda has been targeting European diplomats with an updated variant of the PlugX backdoor, cybersecurity company Proofpoint reports.
Also known as RedDelta and TA416, the group was previously observed targeting entities connected to the Vatican – Chinese Communist Party diplomatic relations, as well as telecommunications companies in Asia, Europe, and the United States.
Believed to be operating on behalf of the Chinese government, Mustang Panda has been using ‘web bugs’ to perform reconnaissance operations, which suggests the group is being more discerning about which targets the group chooses to deliver malware payloads.
The web bug technique involves embedding within the body of the phishing email a hyperlinked non-visible object that attempts to retrieve an image from a remote server, and which confirms to the attackers that the victim is using the targeted email account.
Starting November 2021, Mustang Panda has been employing this method in campaigns targeting European diplomatic entities, with the activity aligned with the escalating tensions between Russia and Ukraine.
In attacks ongoing since January 2022, the group has been seen delivering web bugs alongside malware links and targeting European diplomats with phishing emails containing links to malicious Zip files hosted on Dropbox. If opened, the files eventually lead to the execution of PlugX on the victim’s machine.
On February 28, Mustang Panda started using a compromised email address belonging to a diplomat in a European NATO country to target diplomatic offices in another country. The targeted diplomat was associated with refugee and migrant services.
From The Shadows Emerges Knowledge