A China-linked threat actor known as Mustang Panda has been attributed to a new cyber espionage campaign directed against the Tibetan community.
The spear-phishing attacks leveraged topics related to Tibet, such as the 9th World Parliamentarians’ Convention on Tibet (WPCT), China’s education policy in the Tibet Autonomous Region (TAR), and a recently published book by the 14th Dalai Lama, according to IBM X-Force.
The cybersecurity division of the technology company said it observed the campaign earlier this month, with the attacks leading to the deployment of a known Mustang Panda malware called PUBLOAD. It’s tracking the threat actor under the name Hive0154.
The attack chains employ Tibet-themed lures to distribute a malicious archive containing a benign Microsoft Word file, along with articles reproduced by Tibetan websites and photos from WPCT, into opening an executable that’s disguised as a document.
The executable, as observed in prior Mustang Panda attacks, leverages DLL side-loading to launch a malicious DLL dubbed Claimloader that’s then used to deploy PUBLOAD, a downloader malware that’s responsible for contacting a remote server and fetching a next-stage payload dubbed Pubshell.
Pubshell is a “light-weight backdoor facilitating immediate access to the machine via a reverse shell,” security researchers Golo Mühr and Joshua Chung said in an analysis published this week.
At this stage, it’s worth mentioning some of the nomenclature differences: IBM has given the name Claimloader to the custom stager first documented by Cisco Talos in May 2022 and PUBLOAD to the first-stage shellcode downloader, whereas Trend Micro identifies both the stager and the downloader as PUBLOAD. Team T5, similarly, tracks the two components collectively as NoFive.
The development comes weeks after IBM’s activity which it said is the work of a Hive0154 sub-cluster targeting the United States, Philippines, Pakistan, and Taiwan from late 2024 to early 2025.
This activity, like in the case of those targeting Tibet, utilizes weaponized archives originating from spear-phishing emails to target government, military, and diplomatic entities.
The digital missives contain links to Google Drive URLs that download the booby-trapped ZIP or RAR archives upon clicking, ultimately resulting in the deployment of TONESHELL in 2024 and PUBLOAD starting this year via Claimloader.
TONESHELL, another oft-used Mustang Panda malware, functions similarly to Pubshell in that it’s also used to create a reverse shell and execute commands on the compromised host.
“The Pubshell implementation of the reverse shell via anonymous pipes is almost identical to TONESHELL,” the researchers said. “However, instead of running a new thread to immediately return any results, Pubshell requires an additional command to return command results. It also only supports running ‘cmd.exe’ as a shell.”
“In several ways, Pubload and Pubshell appear to be an independently developed ‘lite version’ of TONESHELL, with less sophistication and clear code overlaps.”
The attacks targeted Taiwan have been characterized by the use of a USB worm called HIUPAN (aka MISTCLOAK or U2DiskWatch), which is then leveraged to spread Claimloader and PUBLOAD through USB devices.
“Hive0154 remains a highly capable threat actor with multiple active sub-clusters and frequent development cycles,” the researchers said.
“China-aligned groups like Hive0154 will continue to refine their large malware arsenal and retain a focus on East Asia-based organizations in the private and public sectors. Their wide array of tooling, frequent development cycles, and USB worm-based malware distribution highlights them as a sophisticated threat actor.”
