Palo Alto Unit 42 reported an espionage campaign attributed to the Chinese state-sponsored actor Mustang Panda. The campaign took place in August 2023 and targeted the Philippines in a timeframe consistent with the escalation of tension in the South China Sea between Beijing and Manila. The attacker leveraged quite interesting TTPs consistent with the delivery of an archived folder containing legitimate versions of software such as Solid PDF Creator and the Indonesian antivirus SmadavProtect; however, the same folder included a hidden dynamic link library used to side-load malware. Evasion techniques included impersonating Microsoft traffic for command-and-control. The event is consistent with China-linked espionage activities across the region.
Clipeus