Connect with us

Hi, what are you looking for?



Over 200 Organizations Targeted in Chinese Cyberespionage Campaign

Chinese cyberespionage group Mustang Panda was seen targeting maritime, shipping, border control, and immigration organizations in recent attacks.

Chinese cyberespionage group Mustang Panda has been targeting entities related to maritime, shipping, border, and immigration as part of a recent campaign, cybersecurity firm Trend Micro reports.

Also known as Earth Preta, RedDelta, and TA416, Mustang Panda is believed to be operating on behalf of the Chinese government, and was previously seen targeting European diplomatic entities and various telecommunications companies.

Trend Micro’s analysis of several attacks observed in 2022 has revealed that the advanced persistent threat (APT) actor coordinates several subgroups in a collaborative effort to gather sensitive information from the targeted entities, and a shift in targeting towards the end of last year.

“Earth Preta has a centralized development unit that produces the implants and tools, and disseminates them to other operational groups responsible for penetration and implantation. This is evident in the Earth Preta group as it appears that multiple sub-operational groups use the same toolset with different techniques,” Trend Micro notes.

Each of the operational groups, the cybersecurity firm discovered, uses its own intrusion and privilege escalation methods, but coordination and planning appear to be lacking at the management level, as the groups might sometimes target the same entity, pursuing similar objectives.

Overall, Trend Micro identified more than 200 Mustang Panda victims, spanning across transportation, government, manufacturing, fabrication, construction, education, finance, food production, border and immigration control, and energy sectors, as well as humanitarian groups.

More than half of victims were spotted in Asia, followed by Africa, Europe and the Middle East. 

Advertisement. Scroll to continue reading.

The observed targeting overlaps led to the identification of multiple sub-groups, including Groups 724, 1358, and 5171, each typically operating in different sectors and geographies.

Group 724 uses customized USB storage devices for initial access and relies on sideloading with Adobe CEF Helper for persistence.

Group 1358, which relies on Avast’s WSC DLL for sideloading and WMI for code execution, uses the PlugX remote access tool (RAT) for data exfiltration, typically via USB drives.

Group 5171 also uses DLL sideloading with Adobe CEF Helper and employs USB-based data exfiltration. What separates it from the other groups is the infection of laptops with malicious code when traveling as part of a routine work travel, which then leads to more elaborate exploitation and lateral movement.  

“Earth Preta’s cyberespionage operations have a broad reach and have the capacity to target high value targets. The shift in collection priorities toward intelligence regarding specific areas also indicates that Earth Preta is targeting critical infrastructure and key institutions that can affect national and international relations, economies, and securities,” Trend Micro concludes.

Related: EU Organizations Warned of Chinese APT Attacks

Related: Google Suspends Chinese Shopping App Amid Security Concerns

Related: Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.