Ethical Hacking News
A new wave of attacks linked to the Mustang Panda threat actor has been uncovered, targeting the Tibetan community with spear-phishing emails designed to deploy malware that could provide unauthorized access to sensitive information. The attackers have used sophisticated techniques, including Tibet-themed lures and USB worm-like malware, to evade detection and spread malicious payloads across compromised machines.
The Mustang Panda group is believed to be linked to the Chinese government and has been involved in several high-profile attacks. The latest attack used spear-phishing emails targeting individuals and organizations in the Tibetan community to deploy malware. The malware, known as Pubshell, allowed attackers to establish a persistent connection with a remote server and potentially exfiltrate sensitive data. The threat actor group, also known as Hive0154, has been tracked since 2022 and continues to refine its large malware arsenal. The use of USB worm-like malware called HIUPAN to distribute Claimloader and PUBLOAD through USB devices is a sophisticated technique used by the attackers.
The threat landscape continues to evolve at an unprecedented rate, with new and sophisticated cyber espionage campaigns being uncovered by cybersecurity experts on a regular basis. In recent months, several high-profile attacks have been attributed to a group known as Mustang Panda, which is believed to be linked to the Chinese government. The latest attack in question leveraged spear-phishing emails targeting individuals and organizations in the Tibetan community, with the ultimate goal of deploying malware that could provide unauthorized access to sensitive information.
According to IBM X-Force, a cybersecurity division of the technology company, the campaign involved the use of Tibet-themed lures to distribute malicious archives containing benign Microsoft Word files, articles reproduced by Tibetan websites, and photos from events like the 9th World Parliamentarians' Convention on Tibet (WPCT). The executable files were designed to appear as legitimate documents, making it difficult for users to distinguish them from real emails.
The malware deployment process involved a number of sophisticated techniques. Once an executable file was opened, it would launch a malicious DLL called Claimloader, which is believed to have been documented by Cisco Talos in May 2022. This stager then used the PUBLOAD, or Claimloader-downloader, to fetch a next-stage payload dubbed Pubshell. The researchers at IBM X-Force noted that this was a variant of a previously observed malware called TONESHELL.
Pubshell is described as a "light-weight backdoor facilitating immediate access to the machine via a reverse shell," according to Golo Mühr and Joshua Chung, security researchers who analyzed the threat actor's tactics. The attackers used Pubshell to establish a persistent connection with a remote server, potentially allowing them to exfiltrate sensitive data from compromised machines.
It is worth noting that IBM has given the name Claimloader to the custom stager first documented by Cisco Talos in May 2022 and PUBLOAD to the first-stage shellcode downloader. In contrast, Trend Micro identifies both the stager and the downloader as PUBLOAD. Team T5, similarly, tracks the two components collectively as NoFive.
Furthermore, it has been observed that attackers have utilized USB worm-like malware called HIUPAN (aka MISTCLOAK or U2DiskWatch) to distribute Claimloader and PUBLOAD through USB devices in attacks targeting Taiwan. This is indicative of a sophisticated threat actor group that continually develops new techniques to evade detection.
"China-aligned groups like Hive0154 will continue to refine their large malware arsenal and retain a focus on East Asia-based organizations in the private and public sectors," the researchers said, highlighting the ongoing sophistication of this particular cyber espionage campaign.
In recent months, several other high-profile attacks have been linked to the Mustang Panda threat actor. Notably, this is the latest in a long line of campaigns attributed to Hive0154, which has been tracked by cybersecurity experts since 2022.
"Hive0154 remains a highly capable threat actor with multiple active sub-clusters and frequent development cycles," the researchers said. "Their wide array of tooling, frequent development cycles, and USB worm-based malware distribution highlights them as a sophisticated threat actor."
The attackers' use of spear-phishing emails to deliver malicious payloads is indicative of a carefully planned campaign designed to target specific groups or organizations.
"In several ways, Pubload and Pubshell appear to be an independently developed 'lite version' of TONESHELL, with less sophistication and clear code overlaps," the researchers added.
The attacks targeted Taiwan have been characterized by the use of a USB worm called HIUPAN (aka MISTCLOAK or U2DiskWatch), which is then leveraged to spread Claimloader and PUBLOAD through USB devices. The development comes weeks after IBM's activity which it said is the work of a Hive0154 sub-cluster targeting the United States, Philippines, Pakistan, and Taiwan from late 2024 to early 2025.
These campaigns demonstrate the ongoing threat posed by sophisticated cyber espionage actors like Mustang Panda, highlighting the need for organizations to maintain robust security controls and implement effective threat detection strategies.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Mustang-Panda-Uncovering-Chinas-Sophisticated-Cyber-Espionage-Campaigns-ehn.shtml
https://thehackernews.com/2025/06/pubload-and-pubshell-malware-used-in.html
Published: Fri Jun 27 09:45:36 2025 by llama3.2 3B Q4_K_M
