Mustang Panda Feeds Worm-Driven USB Attack Strategy

A fresh wave of attacks on APAC government entities involves both self-propagating malware spreading via removable drives and a spear-phishing campaign.

One of Chinas most prolific and
well-known state-sponsored threat actors
is back on the scene with new self-propagating malware that spreads through USB drives (along with other tools), to extend its cyber-espionage goals of system control and data exfiltration.
Mustang Panda also is using spear-phishing to spread multistage downloaders that deliver malware in its recent targeting of various government entities in the Asia-Pacific (APAC) region, Trend Micro researchers
revealed
in a blog post on Sept. 9.
Using malware-loaded USB drives is a strategy that experienced
a revival
during and in the wake of the COVID-19 pandemic, and Mustang Panda (aka
Camaro Dragon
, Bronze President, Luminous Moth, Red Delta, Stately Taurus, and, for Trend Micro, Earth Preta) is known for using it
as a primary infection vector
. The advanced persistent threat (APT) is mainly in the business of cyber espionage and has been known to
collaborate with other Chinese actors
on coordinated attacks. In fact, Trend Micro has recently reported a
spate of fresh activity
from Chinese threat actors in general, which may or may not be related.
This time around, Mustang Panda is using the vector to deliver malware called PUBLOAD via a self-propagating variant of the worm HIUPAN, as well as other tools such as FDMTP and PTSOCKET to control systems and exfiltrate data. A concurrent spear-phishing campaign by the threat actor also is targeting the same victim demographic, using malicious attachments to distribute backdoors and other malware.
Specific targets in the campaigns include people in various government organizations: military, police departments, foreign affairs and welfare agencies, executive branches, and public education. Victims are often hit by a fast-paced approach that infiltrates their system and steals data before they have a clue as to whats happening, according to Trend Micro.
Earth Preta’s attacks are highly targeted and time-sensitive, often involving rapid deployment and data exfiltration, with a focus on specific countries and sectors within the APAC region, Trend Micro researchers Lenart Bermejo, Sunny Lu, and Ted Lee wrote in the post.
The new campaigns observed by Trend Micro have two distinct vectors for initial entry that show evolution in the groups typical tactics. The first is the deployment of the HIUPAN worm via USB drives to propagate PUBLOAD, which acts as a stager that can download the next-stage payload from a command-and-control (C2) server.
In previous campaigns, Mustang Panda used spear-phishing emails to deliver PUBLOAD, making the use of a self-propagating worm a novel tactic for the group. The ultimate goal of the USB campaign is to deliver end-stage malware to achieve control on a targeted environment for persistent data exfiltration.
This HIUPAN variant has differences with the previously documented variant, which was used to propagate ACNSHELL, although its main utility within the attack chain stays the same, the researchers noted in the post.
The version of PUBLOAD used in the new campaigns is similar to ones previously delivered
through spear-phishing
and
documented
by Trend Micro. In this case, Mustang Panda is using PUBLOAD to introduce supplemental tools into the targets environment, such as FDMTP to serve as a secondary control tool, and PTSOCKET, a which is used as an alternative exfiltration option.
Separately, a fast-paced spear-phishing campaign that researchers observed in June is delivering a chain of malware that ultimately delivers a backdoor called CBROVER, which supports file download and remote shell execution, the researchers said.
Along the way, malicious .url attachments download and execute other malware, including DOWNBAIT, a first-stage downloader for downloading a decoy document and shellcode component, and PULLBAIT, straightforward shellcode that downloads and executes CBROVER. Trend Micro also has found evidence of Mustang Panda exploiting Microsofts cloud services for data exfiltration.
The spear-phishing campaign uses decoy documents related to foreign affairs to lure victims into continuing the attack chain. Countries likely targeted in the attacks include Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, the researchers said.
The quick turnover of decoy documents and malware samples on the WebDAV server hosted at 16[.]162[.]188[.]93 suggests that Earth Preta is executing highly targeted and time-sensitive operations, focusing on specific countries and industries within APAC region, they wrote.
The researchers included a list of indicators of compromise (IoCs) for the attacks in the post and advise continuous vigilance and updated defensive measures in the face of increasingly more sophisticated tactics by Mustang Panda and its cohorts. Earth Preta has remained highly active in APAC, they wrote, and will likely remain active in the foreseeable future.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Mustang Panda Feeds Worm-Driven USB Attack Strategy