Connect with us

Hi, what are you looking for?



Chinese Threat Actor ‘Mustang Panda’ Updates Tools in Attacks on Vatican

A Chinese threat actor tracked as Mustang Panda was observed using an updated arsenal of tools in recent attacks, Proofpoint’s security researchers revealed on Monday.

A Chinese threat actor tracked as Mustang Panda was observed using an updated arsenal of tools in recent attacks, Proofpoint’s security researchers revealed on Monday.

Also referred to as TA416 and RedDelta, the threat group is known for the targeting of entities connected to the diplomatic relations between the Vatican and the Chinese Communist Party, along with entities in Myanmar, and the new campaign appears to be a continuation of that activity.

Some of the observed toolset updates, Proofpoint says, include the use of a new Golang variant of the PlugX malware loader, in addition to the constant use of PlugX. While attribution remains fairly simple, automatic detection is more difficult.

“This may represent efforts by the group to continue their pursuit of espionage objectives while maintaining an embattled toolset and staying out of the daily Twitter conversation popular amongst threat researchers,” Proofpoint notes.

Phishing lures used in recent attacks show a focus on the relations between the Vatican and the Chinese Communist Party, as well as spoofed emails imitating journalists from the Union of Catholic Asia News.

As part of the attacks, the hackers used RAR archives that serve as PlugX malware droppers, yet the delivery vector for these archives hasn’t been identified yet. However, the group is known to abuse Google Drive and Dropbox URLs within phishing emails.

The RAR archives used in this campaign include, among others, the encrypted PlugX payload, a legitimate Adobe executable for side loading, and a Golang binary to decrypt and load the payload.

Advertisement. Scroll to continue reading.

According to Proofpoint, this is the first time the adversary has used a Golang binary in their attacks. The file has a compilation date of June 24, 2020, but the variant appears to have been used only since August 24.

Although it features a new file type, the PlugX loader hasn’t changed its functionality: it will execute PlugX and also ensure its persistence. The malware variant used in these attacks remains consistent when compared to previously observed versions, as does the command and control (C&C) communication in these PlugX samples.

The C&C IP, Proofpoint says, was hosted by the Chinese Internet Service Provider Anchnet Asia Limited and was in use as a C&C at least between August 24 and September 28, 2020. Since the IP is no longer in use, the threat actor is believed to have worked on overhauling its infrastructure.

“Continued activity by TA416 demonstrates a persistent adversary making incremental changes to documented toolsets so that they can remain effective in carrying out espionage campaigns against global targets. The introduction of a Golang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of increased detection for their tools and it demonstrates adaptation in response to publications regarding their campaigns,” Proofpoint concludes.

Related: Chinese APT Uses DLL Side-Loading in Attacks on Myanmar

Related: More Details Emerge on Operations, Members of Chinese Group APT41

Related: State-Backed Players Join Pandemic Cyber Crime Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.