Mustang Panda is also known as HoneyMyte, Bronze President, RedDelta and TA416. They often engage in cyber espionage.

what is known

• This hacker group has been active since at least July 2018, and most of the time their attacks target various parts of Southeast Asia, but sometimes hackers are also interested in targets in Europe and the United States.
• Secureworks reports that the Mustang Panda is currently behaving in an unusual way, as the attackers targeted Russian troops and officials working near the Chinese border.
• In phishing traps, hackers use the subject of “special ops” in Ukraine.
• Malicious documents are .exe files, but disguised as PDF documents and named in Russian – “Blagoveshchensk – Blagoveshchensk Border Detachment”.
• Despite the Russian name, the documents are written in English and disguised as published EU data on sanctions against Belarus.
• It is unclear why English was used. The logic of the hackers remains a mystery.

The researchers say that if you try to open the file, it “ejects” several additional files, including the decoy itself, a malicious DLL loader, an encrypted version of the PlugX virus (Korplug), and another .exe file.

PlugX is an essential hacker tool and remote access Trojan for Windows. It allows you to execute various commands on infected systems, steal files, install backdoors and perform additional malicious tasks.