Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection

Mustang Panda’s already sophisticated cyberespionage campaign has matured even further with the introduction of a brand-new PlugX RAT variant.

The Chinese advanced persistent threat (APT) Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta) has upgraded its espionage campaign against diplomatic missions, research entities and internet service providers (ISPs) – largely in and around Southeast Asia.

For one thing, the APT has deployed a brand-new, customized variant of an old but powerful remote-access tool (RAT) called PlugX (aka Korplug), according to researchers from ESET. They named this latest variant “Hodur,” after a blind Norse god known for slaying his thought-to-be-invulnerable half-brother Baldr.

Beyond that, Mustang Panda has developed a complex array of tactics, techniques and procedures (TTPs) to maximize the efficacy of its attacks.

ESET researchers noted, “Every stage of the deployment process utilizes anti-analysis techniques and control-flow obfuscation.”

The cyberespionage campaign dates back to at least last August and is still ongoing, according to ESET, and is targeting mainly governments and NGOs. Most victims are located in East and Southeast Asia, but there are outliers in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan).

The attacks begin with social-engineering emails or watering-hole attacks, researchers

Read More: