{ "id": "c290491a-8254-4d08-9585-12429d4f24cb", "created_at": "2026-04-06T00:15:17.121455Z", "updated_at": "2026-04-10T03:36:33.525607Z", "deleted_at": null, "sha1_hash": "1f0926c83c7bda4395e15bc4d0700a983731c229", "title": "Chinese APT Bronze President Mounts Spy Campaign on Russian Military", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1196321, "plain_text": "Chinese APT Bronze President Mounts Spy Campaign on Russian\r\nMilitary\r\nBy Jai Vijayan\r\nPublished: 2022-04-27 · Archived: 2026-04-05 17:26:41 UTC\r\nSource: Pixels Hunter via Shutterstock\r\nChina's tacit support for Russia's war in Ukraine apparently doesn't preclude likely China-backed cyber actors\r\nfrom mounting espionage campaigns on the Russian military.\r\nResearchers from Secureworks' Counter Threat Unit this week said they recently discovered malware that\r\nsuggests the advanced persistent threat (APT) known as Bronze President (aka Mustang Panda) is now targeting\r\nRussian military personnel and officials. The security vendor described the effort as an example of how political\r\nchanges can push countries into new territory for surreptitious information-gathering efforts, even against friends\r\nand allies.\r\nCyberespionage Campaign Delivers PlugX\r\nAccording to the report, the heavily obfuscated malicious executable being used in the campaign is designed to\r\nappear as a Russian-language PDF document pertaining to Russia's 56th Blagoveshchenskiy Red Banner Border\r\nhttps://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military\r\nPage 1 of 3\n\nGuard Detachment (which is deployed near Russia's border with China). The file is designed so that default\r\nWindows settings do not display its .exe extension, Secureworks said.\r\nSecureworks also explained that the executable file displays a decoy document written in English, though the\r\nfilename itself is in Russian. The document appears to be legitimate and contains data pertaining to asylum\r\napplications and migratory pressure in the three countries that border Belarus — Poland, Lithuania, and Latvia.\r\nThe content also includes commentary on European Union sanctions against Belarus for its role in the war in\r\nUkraine.\r\nWhen executed, the file downloads three additional files from a staging server. One of them is a legitimate signed\r\nfile from Global Graphics Software, a UK-based firm. The file uses DLL search-order hijacking to import an\r\nupdated version of PlugX, a remote-access Trojan (RAT) that has been previously associated with Bronze\r\nPresident.\r\n\"DLL search-order hijacking has been around for years,\" says Mike McLellan, director of intelligence at\r\nSecureworks. \"It's a well-known technique by threat actors in which they maliciously use a legitimate executable\r\nfile, often from a well-known vendor, together with a malicious library file (DLL), to load and execute an\r\nencrypted malware payload.\"\r\nThreat actors use the technique because it ensures that the malicious payload file on a compromised system is\r\nnever sitting around on disk in a manner that scanners and anti-malware can detect.\r\n\"This technique has been a staple of several China-nexus threat groups for many years,\" McLellan says.\r\nAs part of the attack chain, the threat actors have also included a ping command that adds a significant delay\r\nbefore executing the legitimate signed file, Secureworks said — a generic evasion technique to introduce a time\r\nlag while files are downloaded to the victim.\r\nThe staging server that Secureworks observed the threat actor using in the current campaign hosts a domain that\r\nProofpoint earlier this year linked to a PlugX campaign against diplomatic entities in Europe. The security vendor\r\ndetermined that campaign to be motivated by matters related to the war in Ukraine as well. The same domain has\r\nalso been linked to Bronze President attacks in 2020 that Secureworks observed against the Vatican.\r\nA New Set of Victims for Bronze Panda\r\nBronze President is a threat group that has been active since at least 2018, according to the researchers.\r\nSecureworks and others have assessed the group as being China-based and likely sponsored by — or operating\r\nwith the knowledge of — the Chinese government. The group has been associated with numerous attacks on\r\nnongovernmental organizations and others, mostly in Asia but to some extent in other countries. Last year, for\r\nexample, researchers from McAfee spotted the threat actor conducting a major cyber espionage operation\r\ntargeting telecommunication companies in the US, Asia, and Europe.\r\nThe latest campaign represents a departure from the usual for the group, since it targets Russian entities, according\r\nto McLellan: \"This is substantially different to what we have seen over the past two years where Bronze President\r\nhas been about 90% focused on Myanmar and Vietnam. We believe they still have a mission in the Asia region,\r\nbut this has been a bit of a departure for them.\"\r\nhttps://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military\r\nPage 2 of 3\n\nAbout the Author\r\nContributing Writer\r\nJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was\r\nmost recently a Senior Editor at Computerworld, where he covered information security and data privacy issues\r\nfor the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other\r\ntechnology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to\r\nComputerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's\r\ndegree in Statistics and lives in Naperville, Ill.\r\nSource: https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military\r\nhttps://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military" ], "report_names": [ "chinese-apt-bronze-president-spy-campaign-russian-military" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434517, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1f0926c83c7bda4395e15bc4d0700a983731c229.pdf", "text": "https://archive.orkl.eu/1f0926c83c7bda4395e15bc4d0700a983731c229.txt", "img": "https://archive.orkl.eu/1f0926c83c7bda4395e15bc4d0700a983731c229.jpg" } }