{
	"id": "b17f33d6-4d38-4c80-9524-f029c8c40613",
	"created_at": "2026-04-10T03:22:01.664274Z",
	"updated_at": "2026-04-10T13:11:45.639664Z",
	"deleted_at": null,
	"sha1_hash": "1257d424954d4d3ac997e4195b6f2cba60663b37",
	"title": "Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78680,
	"plain_text": "Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection\r\nBy Nate Nelson\r\nPublished: 2022-03-24 · Archived: 2026-04-10 02:10:10 UTC\r\nMustang Panda’s already sophisticated cyberespionage campaign has matured even further with the introduction\r\nof a brand-new PlugX RAT variant.\r\nThe Chinese advanced persistent threat (APT) Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or\r\nRedDelta) has upgraded its espionage campaign against diplomatic missions, research entities and internet service\r\nproviders (ISPs) – largely in and around Southeast Asia.\r\nFor one thing, the APT has deployed a brand-new, customized variant of an old but powerful remote-access tool\r\n(RAT) called PlugX (aka Korplug), according to researchers from ESET. They named this latest variant “Hodur,”\r\nafter a blind Norse god known for slaying his thought-to-be-invulnerable half-brother Baldr.\r\nBeyond that, Mustang Panda has developed a complex array of tactics, techniques and procedures (TTPs) to\r\nmaximize the efficacy of its attacks.\r\nESET researchers noted, “Every stage of the deployment process utilizes anti-analysis techniques and control-flow\r\nobfuscation.”\r\nThe cyberespionage campaign dates back to at least last August and is still ongoing, according to ESET, and is\r\ntargeting mainly governments and NGOs. Most victims are located in East and Southeast Asia, but there are\r\noutliers in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan).\r\nThe attacks begin with social-engineering emails or watering-hole attacks, researchers said.\r\n“The compromise chain includes decoy documents that are frequently updated and relate to events in Europe [and\r\nthe war in Ukraine],” noted the team, in a Wednesday posting. “One of the filenames related to this campaign is\r\n“Situation at the EU borders with Ukraine.exe.”\r\nOther phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and\r\na Regulation of the European Parliament and of the Council.\r\n“The final lure is a real document available on the European Council’s website,” according to ESET. “This shows\r\nthat the APT group behind this campaign is following current affairs and is able to successfully and swiftly react\r\nto them.”\r\nhttps://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/\r\nPage 1 of 3\n\nWhat is Hodur?\r\nHodur derives from PlugX, a  RAT that  “allows remote users to perform data theft or take control of the affected\r\nsystems without permission or authorization. It can copy, move, rename, execute and delete files; log keystrokes;\r\nfingerprint the infected system; and more.”\r\nPlugX is one of the oldest malware families around, having existed in some form or another since 2008, with a\r\nrise in popularity in the mid-2010s. Malware that old won’t cut it these days, which is why Mustang Panda has\r\nconstantly iterated on it. Even just a few weeks ago, researchers from Proofpoint discovered an upgrade “changing\r\nits encoding method and expanding its configuration capabilities.”\r\nAccording to ESET, the new variant “mostly lines up with other Korplug variants, with some additional\r\ncommands and characteristics.” It for instance closely resembles another Norse-themed variant – Thor –\r\ndiscovered in 2020.\r\nSophisticated Attack Chain\r\nHodur itself is hardly the star of the show: Mustang Panda’s campaign features literally dozens of TTPs designed\r\nto establish persistence, collect data and evade defenses.\r\nAs mentioned, the campaign begins simply, as the group uses current events to phish their targets. For example,\r\nlast month, Proofpoint discovered it puppeteering a NATO diplomat’s email address to send out .ZIP and .EXE\r\nfiles titled “Situation at the EU borders with Ukraine.”\r\nIf a target falls for the bait, a legitimate, validly signed, executable vulnerable to DLL search-order hijacking, a\r\nmalicious DLL, and an encrypted Hodur file are deployed on the target machine.\r\n“The executable is abused to load the module, which then decrypts and executes the…RAT,” explained\r\nresearchers. “In some cases, a downloader is used first to deploy these files along with a decoy document.”\r\nMustang Panda’s campaigns then frequently use custom loaders for shared malware including Cobalt Strike,\r\nPoison Ivy, and now, Hodur. Then things get interesting. ESET analysts tallied a total of 44 MITRE ATT\u0026CK\r\ntechniques deployed in this campaign. Most interesting are the 13 different methods of obfuscating or otherwise\r\nevading cybersecurity tools and detection.\r\nFor example, the ESET blog noted that “directories created during the installation process are set as hidden system\r\ndirectories,” and “file and directory names match expected values for the legitimate app that is abused by the\r\nloader.”\r\nAnd, the malware gaslights you because “scheduled tasks created for persistence use legitimate-looking names,”\r\nand “when writing to a file, Korplug sets the file’s timestamps to their previous values.”\r\nWho’s Behind Mustang Panda?\r\nCybersecurity analysts have been tracking Mustang Panda since 2017, when they first started using Mongolian-themed phishing tactics to conduct espionage on targets in Southeast Asia. Still, there’s much we don’t know\r\nhttps://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/\r\nPage 2 of 3\n\nabout the group.\r\nThe depth and complexity of their TTPs puts Mustang Panda more in the company of state-sponsored groups than\r\ncriminal ones. So “it is possible, though unproven, that they are state-sponsored or at least state-sanctioned,”\r\nwrote Mike Parkin, senior technical engineer at Vulcan Cyber, via email.\r\nHistorically, the group has kept to Southeast Asia, with one notable exception – the Vatican – in 2020. The vast\r\nmajority of targets in ongoing campaigns have, indeed, been located in Mongolia and Vietnam, followed closely\r\nby Myanmar. However, as mentioned, the list also includes select entities in Europe and Africa, which muddies\r\nthe picture a bit.\r\n“The target distribution is interesting,” Parkin concluded. “There isn’t enough information publicly available here\r\nto determine the attacker’s ultimate agenda.”\r\nMoving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your\r\nassets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore\r\norganizations’ top risks and challenges, best practices for defense, and advice for security success in such a\r\ndynamic computing environment, including handy checklists.\r\nSource: https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/\r\nhttps://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/"
	],
	"report_names": [
		"179084"
	],
	"threat_actors": [],
	"ts_created_at": 1775791321,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1257d424954d4d3ac997e4195b6f2cba60663b37.pdf",
		"text": "https://archive.orkl.eu/1257d424954d4d3ac997e4195b6f2cba60663b37.txt",
		"img": "https://archive.orkl.eu/1257d424954d4d3ac997e4195b6f2cba60663b37.jpg"
	}
}