Press Center

• This cyberespionage campaign dates back to at least August 2021 and is still ongoing as of March 2022.
• Mustang Panda, the APT group behind this campaign, is targeting mainly governments and NGOs. Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan).
• Known victims include research entities, internet service providers, and European diplomatic missions.
• The compromise chain includes decoy documents that are frequently updated and relate to events in Europe and the war in Ukraine.
• The campaign uses a custom loader to execute Hodur, a new Korplug variant.
• Every stage of the deployment process utilizes anti-analysis techniques and control-flow obfuscation, which sets it apart from other campaigns.

BRATISLAVA, MONTREAL —MARCH 23, 2022 — ESET Research discovered a still-ongoing cyberespionage campaign using a previously undocumented Korplug variant by the Mustang Panda APT group. The current campaign exploits the war in Ukraine and other European news topics. Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia. ESET researchers named this new Korplug variant Hodur due to its resemblance to the THOR variant documented in 2020. In Norse mythology, Hodur is Thor’s blind half-brother.

Victims of this campaign are likely lured with phishing documents abusing the latest events in Europe such as Russia’s invasion of Ukraine. This has resulted in more than three million residents fleeing the war to neighboring countries according to the UNHCR, leading to an unprecedented crisis on Ukraine’s borders. One of the filenames related to this campaign is “Situation at the EU borders with Ukraine.exe”.

Other phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council. The final lure is a real document available on the European Council’s website. This shows that the APT group behind this campaign is following current affairs and is able to successfully and swiftly react to them.

“Based on code similarities and the many commonalities in Tactics, Techniques, and Procedures, ESET researchers attribute this campaign with high confidence to Mustang Panda, also known as TA416, RedDelta, or PKPLUG. It is a cyberespionage group mainly targeting governmental entities and NGOs,” explains ESET malware researcher Alexandre Côté Cyr who discovered Hodur. Victims of Mustang Panda are mostly, but not exclusively, located in East and Southeast Asia with a focus on Mongolia. The group is also known for its campaign targeting the Vatican in 2020.

While ESET researchers haven’t been able to identify the verticals of all victims, this campaign seems to have the same targeting objectives as other Mustang Panda campaigns. Following the APT’s typical victimology, most victims are located in East and Southeast Asia, along with some in European and African countries. According to ESET telemetry the vast majority of targets are located in Mongolia and Vietnam, followed by Myanmar, with only a few in other affected countries, namely Greece, Cyprus, Russia, South Sudan, and South Africa. Identified verticals include diplomatic missions, research entities, and ISPs.

Mustang Panda’s campaigns frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and Korplug (also known as PlugX). The group has also been known to create its own Korplug variants. “Compared to other campaigns using Korplug, every stage of the deployment process utilizes anti-analysis techniques and control-flow obfuscation, to make the investigation more difficult for us malware researchers,” concludes Côté Cyr.

For detailed technical analysis, read the blogpost "Mustang Panda’s Hodur: Old tricks, new Korplug variant" on WeLiveSecurity  and follow ESET Research on Twitter for the latest news from ESET Research.

Most victims affected by Mustang Panda in this campaign are in East and Southeast Asia

One of the decoy documents used in this campaign: a real document from the European Council’s website

About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.