""These activity clusters overlap with publicly reported campaigns aimed at establishing persistent access. Significant overlap in tactics, techniques, and procedures (TTPs) with known China-aligned campaigns suggests the clusters and threat group have a common target of interest, potentially coordinating their effort.""
""The Mustang Panda activity, recorded between June 1 and August 15, 2025, entailed the use of a USB-based malware known as HIUPAN to deliver the PUBLOAD backdoor by means of a rogue DLL codenamed Claimloader.""
""Additional analysis of the victim network has uncovered the deployment of COOLCLIENT, another known backdoor attributed to Mustang Panda for more than three years. It supports file download/upload, keystroke recording, packet tunneling, and port map information capture.""
Three threat activity clusters linked to China have targeted a government organization in Southeast Asia, deploying multiple malware families. The clusters include Mustang Panda, CL-STA-1048, and CL-STA-1049, which have shown significant overlap in tactics and targets. The Mustang Panda activity utilized USB-based malware HIUPAN to deliver the PUBLOAD backdoor. Additional tools like COOLCLIENT have been used for extensive network access. The campaigns indicate a coordinated effort among the clusters to establish persistent access to their targets.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]