Cyber Incident Victim: Mustang Panda
Date:
Apr 2022
Location:
Russia
Summary
Mustang Panda, a China-linked threat actor, conducted a phishing campaign targeting Russian state officials using malicious executables disguised as EU sanction documents against Belarus, named after the border city of Blagoveshchensk. The attack deployed a DLL loader exploiting a legitimate Global Graphics Software Ltd file to sideload PlugX malware via decoy documents, leveraging infrastructure previously linked to the group's operations against European diplomats. The campaign demonstrated the actor's continued focus on tailored spear-phishing lures and stealthy execution methods, shifting intelligence-gathering efforts while maintaining overlapping tools and infrastructure from past activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2022, cybersecurity researchers identified a phishing campaign targeting Russian state officials, attributed to the China-based threat actor Mustang Panda (also known as HoneyMyte or Bronze President). The campaign employed malicious executables disguised as PDF documents, named after the Russian city of Blagoveshchensk near the Chinese border, suggesting a focus on Russian personnel in that region. The phishing lures leveraged English-language documents purportedly detailing European Union sanctions against Belarus to entice targets. Upon execution, the .exe files deployed a multi-stage payload chain: a decoy EU document, a malicious DLL loader, an encrypted PlugX variant, and a digitally signed executable. The DLL loader exploited a legitimate signed file from UK-based Global Graphics Software Ltd., utilizing DLL search order hijacking to stealthily load the malicious DocConvDll.dll. This loader decrypted and executed the FontLog.dat file, which contained the PlugX malware payload. The malware attempted to establish persistence by creating a directory at 'C:\ProgramData\Fuji Xerox\Fonts\' for side-loading operations. The campaign reused infrastructure from previous Mustang Panda operations, including the domain zyber-i[.]com, which had supported earlier attacks targeting EU diplomats.
Secureworks linked this activity to Mustang Panda based on infrastructure overlaps with historically attributed campaigns, despite PlugX's broad use across threat groups making malware-based attribution unreliable. The threat actor maintained operational consistency by recycling malware strains, loader tools, and infrastructure while refining spear-phishing lures for highly targeted intelligence collection. The narrow geographic focus on Blagoveshchensk indicated a potential shift in intelligence priorities toward Sino-Russian border dynamics. Although the analyzed PlugX sample was corrupted, its intended functionality aligned with Mustang Panda's typical tradecraft. The group's tactics emphasized stealth through abused legitimate binaries and minimal infrastructure reuse to evade detection. Defensive measures centered on applying the disclosed indicators of compromise to block email and network-based infection vectors, which researchers assessed would neutralize most attack attempts. The incident highlighted ongoing state-aligned cyber espionage activities adapting lures to geopolitical events while retaining core technical capabilities.