Russian state officers

The organisation is known by the alias "Russian state officers". Its headquarters is located in Russia. It comprises officials who perform governmental functions on behalf of the Russian state.

On 27 April 2022, a Chinese state‑backed threat actor identified as Mustang Panda conducted a phishing campaign targeting members of this organisation. The campaign used decoy documents that mimicked European Union sanctions against Belarus to lure recipients. Those decoy files were presented as PDFs but actually contained malicious executables. The phishing emails were designed to appear legitimate by referencing the EU sanctions topic. The attack relied on social engineering to induce targets to open the malicious files.

The malicious executables employed DLL search order hijacking as a technique to load and execute the PlugX malware. PlugX is a remote access tool that has been linked to previous Mustang Panda operations. The attackers leveraged infrastructure that had been used in earlier Mustang Panda campaigns. This reuse of infrastructure suggested a possible shift in the group's intelligence‑gathering focus toward personnel situated near China's border. The PlugX payload included a digitally signed vulnerable file to help evade detection during execution. Once executed, the malware contacted command‑and‑control servers associated with prior Mustang Panda activity to retrieve additional payloads. The incident was reported by BleepingComputer, with the source available at https://www.bleepingcomputer.com/news/security/chinese-state-backed-hackers-now-target-russian-state-officers/.