The notorious China-aligned hacking group Mustang Panda has launched a new cyber espionage campaign targeting an unidentified organization in Myanmar, deploying a range of advanced malware and evasion techniques. This latest activity underscores the group’s persistent evolution and strategic focus on enhancing their cyber arsenal for stealthy and effective intrusions.
🎯 Key Highlights of the Attack:
Updated TONESHELL backdoor with upgraded FakeTLS-based C2 communication.
A new lateral movement proxy tool called StarProxy.
Two stealthy keyloggers: PAKLOG and CorKLOG.
A powerful EDR evasion driver named SplatCloak.
What Is Mustang Panda?
Also tracked as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Camaro Dragon, Mustang Panda is a Chinese state-sponsored APT group active since at least 2012. The group is widely known for targeting:
Government entities
NGOs
Ethnic and political groups
in East Asia, with occasional operations in Europe.
🛠️ TONESHELL Backdoor: Three New Variants Discovered
Researchers at Zscaler ThreatLabz, led by Sudeep Singh, have uncovered three distinct variants of the TONESHELL malware:
Variant 1: Basic reverse shell capabilities.
Variant 2: Downloads and executes DLLs by injecting into system processes like
svchost.exe.Variant 3: Custom TCP-based communication to download files and execute remote commands via subprocesses.
TONESHELL has become a cornerstone of Mustang Panda’s malware delivery framework, replacing older payloads like PlugX.
🛰️ StarProxy: New Post-Exploitation Proxy Tool
StarProxy is a new post-compromise tool leveraging DLL side-loading and FakeTLS encryption to establish encrypted C2 communication. It facilitates lateral movement and stealthy data exfiltration across internal systems.
XOR-based encryption secures traffic.
Configurable via command-line for IP and port routing.
Functions as a proxy between infected hosts and attacker servers.
This tool is likely deployed once initial access is established, enabling attackers to pivot through internal workstations not directly accessible from the internet.
🎹 PAKLOG & CorKLOG: Advanced Keyloggers for Stealth Surveillance
Two new keyloggers, PAKLOG and CorKLOG, have been linked to Mustang Panda’s toolkit. While both are used to log keystrokes and clipboard data, CorKLOG stands out with:
RC4 encryption using a 48-character key.
Persistence mechanisms such as scheduled tasks or services.
Neither variant includes its own exfiltration mechanism, meaning external tools are used to retrieve the logged data later.
🧥 SplatCloak: EDR Evasion Through Kernel-Level Attack
A particularly dangerous addition is SplatCloak, a Windows kernel driver designed to evade Endpoint Detection and Response (EDR) tools like Windows Defender and Kaspersky.
Deployed via SplatDropper, this module disables EDR-related routines, enabling the malware to operate undetected. Its integration demonstrates a high level of operational sophistication and persistence.
🔍 Analysis: Strategic Evolution and Persistent Threat
“Mustang Panda demonstrates a calculated approach to achieving their objectives,” said Sudeep Singh of Zscaler. “Continuous updates, new tooling, and layered obfuscation prolong the group’s operational security and improve the efficacy of attacks.”
🚨 Related Threat: UNC5221 Deploys BRICKSTORM for Windows Attacks
In a parallel development, cybersecurity firm NVISO has linked the China-based espionage group UNC5221 to new variants of BRICKSTORM malware, now targeting Windows systems in Europe.
Key BRICKSTORM Capabilities:
Initially a Linux-based Golang backdoor for VMware servers.
Now supports Windows with:
File system control
SOCKS proxy tunneling
Web server functionality
DNS-over-HTTPS (DoH) C2 resolution
While the Windows version lacks direct command execution, attackers use it for network tunneling and lateral movement using stolen credentials through protocols like RDP and SMB.
🔐 Conclusion
The latest campaign by Mustang Panda highlights an ongoing surge in cyber espionage activities by China-nexus threat actors. With tools like StarProxy, TONESHELL, and SplatCloak, Mustang Panda is clearly focused on developing evasive, persistent, and modular malware for highly targeted surveillance operations.
