In recent developments, the cyber espionage group known as Mustang Panda, also referred to as Hive0154, has intensified its focus on the Tibetan community through a series of sophisticated spear-phishing attacks. These campaigns, observed earlier this month, exploit themes pertinent to Tibet, including the 9th World Parliamentarians’ Convention on Tibet (WPCT), China’s education policies in the Tibet Autonomous Region (TAR), and recent publications by the 14th Dalai Lama.
Attack Methodology
The attackers employ meticulously crafted spear-phishing emails that entice recipients into downloading malicious archives. These archives typically contain a benign Microsoft Word document alongside other seemingly legitimate files, such as articles from Tibetan websites and photographs from WPCT events. However, embedded within these archives is an executable file masquerading as a document. When executed, this file initiates a complex infection chain designed to compromise the target’s system.
Infection Chain and Malware Deployment
Upon execution, the deceptive file utilizes a technique known as DLL side-loading to launch a malicious dynamic-link library (DLL) referred to as Claimloader. This component serves as a conduit for deploying PUBLOAD, a downloader malware responsible for establishing communication with a remote command-and-control (C2) server. Once this connection is established, PUBLOAD retrieves and executes a secondary payload known as Pubshell.
Pubshell functions as a lightweight backdoor, providing the attackers with immediate access to the compromised machine via a reverse shell. This access enables the execution of arbitrary commands, facilitating further exploitation and data exfiltration.
Technical Analysis and Nomenclature
It’s important to note the variations in terminology used by different cybersecurity entities when describing these components. IBM X-Force designates the initial stager as Claimloader and the first-stage shellcode downloader as PUBLOAD. In contrast, Trend Micro identifies both the stager and the downloader under the singular term PUBLOAD. Similarly, Team T5 tracks these components collectively as NoFive.
Broader Campaigns and Targeting
This campaign against the Tibetan community is part of a broader pattern of activity by Mustang Panda. In recent months, the group has also targeted entities in the United States, Philippines, Pakistan, and Taiwan. These operations often involve spear-phishing emails containing links to Google Drive URLs, which, when accessed, download malicious ZIP or RAR archives. The payloads in these cases have included TONESHELL in 2024 and PUBLOAD via Claimloader starting this year.
TONESHELL, another tool in Mustang Panda’s arsenal, operates similarly to Pubshell by establishing a reverse shell for command execution on the infected host. Notably, the implementation of the reverse shell in Pubshell closely mirrors that of TONESHELL, with minor differences in command execution and result retrieval mechanisms.
Propagation via Removable Media
In campaigns targeting Taiwan, Mustang Panda has employed a USB worm known as HIUPAN (also referred to as MISTCLOAK or U2DiskWatch). This worm facilitates the spread of Claimloader and PUBLOAD through USB devices, enabling the infection to propagate across air-gapped or otherwise isolated systems.
Implications and Recommendations
The persistent and evolving tactics of Mustang Panda underscore the necessity for heightened vigilance among organizations and individuals within the targeted regions. Implementing robust cybersecurity measures, including comprehensive user education on recognizing phishing attempts, regular system updates, and the deployment of advanced threat detection solutions, is crucial in mitigating the risks posed by such sophisticated adversaries.
