Security Experts:

Connect with us

Hi, what are you looking for?



China’s Hacking of European Diplomats Aligns With Russia-Ukraine Conflict

In an ongoing campaign aligned with the current war in Ukraine, Chinese cyberespionage group Mustang Panda has been targeting European diplomats with an updated variant of the PlugX backdoor, cybersecurity company Proofpoint reports.

In an ongoing campaign aligned with the current war in Ukraine, Chinese cyberespionage group Mustang Panda has been targeting European diplomats with an updated variant of the PlugX backdoor, cybersecurity company Proofpoint reports.

Also known as RedDelta and TA416, the group was previously observed targeting entities connected to the Vatican – Chinese Communist Party diplomatic relations, as well as telecommunications companies in Asia, Europe, and the United States.

Believed to be operating on behalf of the Chinese government, Mustang Panda has been using ‘web bugs’ to perform reconnaissance operations, which suggests the group “is being more discerning about which targets the group chooses to deliver malware payloads,” Proofpoint says.

The web bug technique involves embedding within the body of the phishing email a hyperlinked non-visible object that attempts to retrieve an image from a remote server, and which confirms to the attackers that the victim is using the targeted email account.

Starting November 2021, Mustang Panda has been employing this method in campaigns targeting European diplomatic entities, with the activity aligned with the escalating tensions between Russia and Ukraine.

[ READ: Hacked Ukrainian Military Emails Used in Attacks on European Governments ]

In attacks ongoing since January 2022, the group has been seen delivering web bugs alongside malware links and targeting European diplomats with phishing emails containing links to malicious Zip files hosted on Dropbox. If opened, the files eventually lead to the execution of PlugX on the victim’s machine.

On February 28, Mustang Panda started using a compromised email address belonging to a diplomat in a European NATO country to target diplomatic offices in another country. The targeted diplomat was associated with refugee and migrant services.

Just as in previous campaigns, DLL search order hijacking is employed for PlugX deployment, but in recent attacks the threat actor switched to using potplayermini.exe to initiate the hijacking operation. Furthermore, the attackers updated their malware’s encoding method and also expanded its configuration capabilities.

The observed changes include various obfuscation and anti-analysis techniques and three new configuration fields, and show that the malware is undergoing additional development, Proofpoint says. The command and control (C&C) communication method was also modified, both in January and February.

“In response to historical disclosures detailing TA416 PlugX malware infection and encoding methods, the group appears to have adopted a rapid rate of development for their PlugX payloads,” Proofpoint notes.

Related: Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese Threat Actor

Related: 17 Malware Frameworks Target Air-Gapped Systems for Espionage

Related: Chinese Hackers Target Financial Institutions in Taiwan With Custom Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.