Mustang Panda hacking group takes advantage of Ukraine crisis in new attacks

Researchers have exposed a Mustang Panda campaign that is taking advantage of the Russia-Ukraine conflict to spread new malware.

On March 23, researchers from ESET said that Mustang Panda, a Chinese cyberespionage group also tracked as TA416, RedDelta, and Bronze President, has been spreading a new Korplug/PlugX Remote Access Trojan (RAT) variant. 

Korplug is a RAT previously used in attacks against the Afghanistan and Tajikistan militaries, targets across Asia, and high-value organizations in Russia. Researchers say that variants of the Trojan have been used by Chinese threat actors since at least 2012. 

The new variant, however, has remained under the radar until now. 

ESET has named the new sample Hodur. The new version has some similarities to Thor, a variant of the malware detected by Palo Alto Networks in 2021 deployed during the Microsoft Exchange Server debacle.

Hodur is being spread through a phishing campaign leveraging topics of interest in Europe, including Russia’s current invasion of Ukraine. The attack wave is still ongoing but has taken different forms since August 2021 depending on current events. 

By adapting its phishing methods to include current hot topics, conflicts, and news items, Mustang Panda has managed to successfully infiltrate research organizations, internet service providers (ISPs), and systems belonging to

Read More: