Cyber Incident Victim: Russian state officers
Date:
Apr 2022
Location:
Russia
Summary
Chinese state-backed threat actor Mustang Panda targeted Russian officials through a phishing campaign using decoy documents mimicking EU sanctions against Belarus, delivering malicious executables disguised as PDFs. The attack employed DLL search order hijacking to deploy PlugX malware, leveraging infrastructure previously linked to the group, indicating a potential shift in intelligence-gathering objectives towards personnel in regions near China's border. The malware utilized a digitally signed vulnerable file for stealthy execution, with compromised systems fetching additional payloads from servers associated with prior Mustang Panda operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2022, cybersecurity researchers identified a phishing campaign targeting Russian state officers, attributed to the China-based threat actor Mustang Panda (also known as HoneyMyte and Bronze President). The campaign employed decoy documents purportedly detailing European Union sanctions against Belarus, distributed as Windows executables disguised as PDF files. These malicious files were named after Blagoveshchensk, a Russian city near the Chinese border, suggesting a focus on Russian personnel in that region. Upon execution, the files retrieved additional components, including a decoy EU document, a malicious DLL loader, an encrypted PlugX variant, and a digitally signed executable. The DLL loader exploited a legitimate signed file from UK-based Global Graphics Software Ltd., leveraging DLL search order hijacking—a technique consistent with Mustang Panda’s historical tactics—to stealthily execute the PlugX payload. The malware decrypted and ran from a newly created directory at 'C:\ProgramData\Fuji Xerox\Fonts\'. Secureworks linked the campaign to Mustang Panda based on infrastructure overlaps, including a staging server previously used in attacks against EU diplomats and the domain zyber-i[.]com.
The PlugX malware sample analyzed in this campaign was corrupted, but its code structure indicated DLL side-loading capabilities. While PlugX is widely used by multiple threat groups, Secureworks emphasized infrastructure ties—not the malware itself—as the basis for attributing the activity to Mustang Panda. The threat actor maintained operational consistency by reusing known malware strains, loader tools, and infrastructure across campaigns while updating spear-phishing lures to align with current geopolitical themes. The targeting of Russian officials marked a potential shift in intelligence-gathering objectives, contrasting with Mustang Panda’s prior focus on European entities, particularly during the Russia-Ukraine conflict. The campaign’s narrow scope and region-specific lures underscored the group’s preference for highly tailored operations. Secureworks noted that employing disclosed indicators of compromise could disrupt the threat actor’s infection methods, though the group’s adaptability and stealth remained persistent challenges.