A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyberespionage campaign using a previously undocumented variant of the PlugX remote access trojan on infected machines.
Slovak cybersecurity firm ESET dubbed the new version Hodur, owing to its resemblance to another PlugX (aka Korplug) variant called THOR that came to light in July 2021.
“Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan),” ESET malware researcher Alexandre Côté Cyr said in a report shared with The Hacker News.
“Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia.”
Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a cyber espionage group that’s primarily known for targeting non-governmental organizations with a specific focus on Mongolia.
The latest campaign, which dates back to at least August 2021, makes use of a compromise chain featuring an ever-evolving stack of decoy documents pertaining to the ongoing events in Europe and the war in Ukraine.