Chinese APT groups have escalated cyber espionage efforts against ASEAN nations over the last three months, targeting entities affiliated with the Association of Southeast Asian Nations (ASEAN). Notably, Mustang Panda, also known as Camaro Dragon, Earth Preta, and Stately Taurus, has been implicated in attacks against Myanmar and other Asian countries. Employing variants of the PlugX backdoor, such as DOPLUGS, the threat actors use phishing emails to deliver malware packages tailored to exploit geopolitical events like the ASEAN-Australia Special Summit.
These malicious packages, crafted around March 4-5, 2024, deploy a variety of tactics to infiltrate target systems. One package masquerades as a ZIP file containing an executable file named “Talking_Points_for_China.exe,” which executes a DLL file and installs the PUBLOAD malware associated with Mustang Panda. Another package presents itself as a screensaver executable (“Note PSO.scr”) that fetches additional malicious code from a remote IP address, including a benign program renamed as “WindowsUpdate.exe” and a rogue DLL.
The attackers utilize DLL side-loading, leveraging legitimate software vulnerabilities to camouflage their activities. Moreover, Unit 42 researchers detect network traffic between ASEAN-affiliated entities and the command-and-control infrastructure of a separate Chinese APT group. This indicates a broader breach of victim environments, echoing similar attacks observed targeting Cambodia. These campaigns underscore the persistent threat of cyber espionage in the region, driven by nation-state actors seeking geopolitical intelligence.
