{ "id": "447af1f5-6bea-4e58-8b10-ad537c75c513", "created_at": "2026-04-06T00:20:00.65537Z", "updated_at": "2026-04-10T13:11:56.97921Z", "deleted_at": null, "sha1_hash": "3344d1e764f626bbaea137ea4f88d43da88cb4d0", "title": "ASEAN Entities in the Spotlight: Chinese APT Group Targeting", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 607777, "plain_text": "ASEAN Entities in the Spotlight: Chinese APT Group Targeting\r\nBy Unit 42\r\nPublished: 2024-03-26 · Archived: 2026-04-05 19:54:43 UTC\r\nExecutive Summary\r\nOver the past 90 days, Unit 42 researchers have identified two Chinese advanced persistent threat (APT) groups\r\nconducting cyberespionage activities against entities and member countries affiliated with the Association of\r\nSoutheast Asian Nations (ASEAN):\r\nThe first APT group, Stately Taurus, created two malware packages we believe targeted entities in\r\nMyanmar, the Philippines, Japan and Singapore. The timing of these campaigns coincided with the\r\nASEAN-Australia Special Summit, held March 4-6, 2024.\r\nThe second Chinese APT group compromised an ASEAN-affiliated entity. This APT group has targeted\r\nvarious Southeast Asia government entities including Cambodia, Laos and Singapore in recent months.\r\nStately Taurus (aka Mustang Panda, BRONZE PRESIDENT, Red Delta, LuminousMoth, Earth Preta and Camaro\r\nDragon) has been operating since at least 2012. We assess this to be a Chinese APT group that routinely conducts\r\ncyberespionage campaigns. This group has historically targeted government entities and nonprofits, as well as\r\nreligious and other nongovernmental organizations across North America, Europe and Asia.\r\nWe recently identified network traffic from the aforementioned ASEAN-affiliated entity to the malicious\r\ninfrastructure associated with the second Chinese APT group, which indicated the entity’s environment had been\r\ncompromised. ASEAN-affiliated entities are attractive targets for espionage operations due to their role in\r\nhandling sensitive information regarding diplomatic relations and economic decisions in the region.\r\nPalo Alto Networks customers are better protected from this malicious infrastructure through our Prisma Cloud\r\nDefender agents with WildFire integration, as well as DNS Security and Advanced URL Filtering.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nStately Taurus Activity\r\nDuring the ASEAN-Australia Special Summit held in March 2024, Unit 42 researchers identified two Stately\r\nTaurus malware packages that we assess were leveraged to target Asian countries. Threat actors created malware\r\nfor these packages on March 4-5, 2024, coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024).\r\nPackage 1: Talking_Points_for_China.zip\r\nAttackers created the first package on March 4, 2024, as a ZIP archive. Entities located in the Philippines, Japan\r\nand Singapore saw it the next day (evidenced by the samples they uploaded to communal databases). Extracting\r\nhttps://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/\r\nPage 1 of 6\n\nthe contents of the Talking_Points_for_China.zip archive reveals two files, as shown in Figure 1.\r\nFigure 1. Talking_Points_for_China.zip.\r\nThe executable Talking_Points_for_China.exe is actually a renamed copy of the signed anti-key logging program\r\nKeyScrambler.exe developed by QFX Software Corporation. Threat actors often abuse, take advantage of or\r\nsubvert legitimate products for malicious purposes. This does not imply that the legitimate product is flawed or\r\nmalicious.\r\nUpon executing this binary, it sideloads the malicious DLL KeyScramblerIE.dll and copies it to the directory\r\nC:\\Users\\Public\\Libraries\\SmileTV\\KeyScramblerIE.dll with an autorun registry key of the same location\r\nestablished for persistence.\r\nThe code then decrypts shellcode that we assess is PubLoad malware. This malware then attempts to establish a\r\nconnection to 103.27.109[.]157:443.\r\nThis package displays strong overlap with the sample described by CSIRT-CTI in their post’s section entitled\r\nCampaign #4 – Talking Points for China.zip. These similarities include:\r\nThe archive filename\r\nThe magic bytes to initiate the payload (17 03 03)\r\nUsing a signed binary from QFX Software Corporation\r\nThe execution characteristics of PubLoad malware\r\nPackage 2: Note PSO.scr\r\nThreat actors created the second package on March 5, 2024, as a screensaver executable (SCR extension) file,\r\nwhich an entity located in Myanmar saw the same day (evidenced by an upload to a malware repository). Given\r\nthe filename (Note PSO.scr), we suspect that PSO is likely a reference to the title of Personal Staff Officer, a rank\r\nin the Myanmar military.\r\nWe observed Stately Taurus switching tactics, techniques and procedures (TTPs) for this malicious package.\r\nInstead of their typical choice of relying on file archive formats (ZIP, RAR, ISO) for delivery, this time Stately\r\nTaurus employed an executable with a screensaver (SCR) file extension for initial infection. This approach\r\nresulted in the download of malicious code from the IP address 123.253.32[.]71.\r\nUpon opening the SCR file, the threat actor attempts to make network connections to download the benign\r\nexecutable WindowsUpdate.exe and malicious DLL EACore.dll. These files were hosted at the following\r\nlocations:\r\nhxxp[:]//123.253.32[.]71/WindowsUpdate.exe\r\nhxxp[:]//123.253.32[.]71/EACore.dll\r\nhttps://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/\r\nPage 2 of 6\n\nThreat actors use a benign program they’ve renamed WindowsUpdate.exe, which is actually an older version of\r\nEACoreServer.exe signed by the reputable video game company Electronic Arts, Inc. They do this to give it an\r\nappearance of a trustworthy program while, in the background, they’re sideloading their malicious DLL file that\r\nthey’ve renamed to overwrite the legitimate EACore.dll. This malware then attempts to establish a connection to\r\nwww[.]openservername[.]com at 146.70.149[.]36 for command and control (C2).\r\nSecond Chinese APT Group Activity\r\nWe recently identified network connections between an ASEAN-affiliated entity and the C2 infrastructure of a\r\nChinese APT group, indicating the entity’s environment had been compromised. We have also observed similar\r\nactivity originating from government entities across ASEAN member states. ASEAN-affiliated entities are\r\nattractive targets for espionage operations due to their role in handling sensitive information regarding diplomatic\r\nrelations and economic decisions in the region.\r\nC2 Infrastructure\r\nTable 1 outlines known target-facing infrastructure used for C2.\r\nIP Address Target Port Domain(s)\r\n65.20.103[.]231 80, 81\r\n139.59.46[.]88 80, 443, 8443, 8080, 9443\r\n193.149.129[.]93 8443 ai.nerdnooks[.]com\r\n192.153.57[.]98 8080 web.daydreamdew[.]net\r\nTable 1. Known infrastructure.\r\nActivity Timeline: Second Chinese APT Group\r\nUnit 42 researchers identified threat actor activity throughout January and February 2024. We also observed a\r\ndistinct lull coinciding with the Lunar New Year and the Chinese mandated “Special Working Day” on Feb. 18,\r\n2024, as shown in Figure 2.\r\nFigure 2. Pattern of life: working days.\r\nhttps://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/\r\nPage 3 of 6\n\nWe observed a similar pattern of life with this same actor during China’s Golden Week in September and October\r\n2023.\r\nWorking hours for this actor were also consistent with our prior observations of business hours on weekdays\r\n(Monday to Friday) adjusted to UTC +08:00 (China Standard Time), as shown in Figure 3.\r\nFigure 3. Pattern of life: working hours (+08:00 time adjusted).\r\nConclusion\r\nUnit 42 has identified two Chinese APTs conducting recent cyberespionage activities against the entities and\r\nmember countries affiliated with the Association of Southeast Asian Nations (ASEAN). These types of campaigns\r\ncontinue to demonstrate how organizations are targeted for cyberespionage purposes, where nation-state affiliated\r\nthreat groups collect intelligence of geopolitical interests within the region. We encourage organizations to\r\nleverage our findings to inform the deployment of protective measures to defend against these types of threats.\r\nProtections and Mitigations\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nDNS Security and Advanced URL Filtering classify domains in this article as malicious\r\nWildFire is a cloud based threat detection engine that classifies the Stately Taurus malware samples in this\r\narticle as malicious\r\nPrisma Cloud Defender agents with WildFire integration can detect and prevent malicious execution of the\r\nStately Taurus malware samples in this article on Windows-based VM, container and serverless cloud\r\ninfrastructure.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America toll-free: 866.486.4842 (866.4.UNIT42)\r\nhttps://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/\r\nPage 4 of 6\n\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nStately Taurus Campaigns\r\nMalware Hashes\r\na16a40d0182a87fc6219693ac664286738329222983bd9e70b455f198e124ba2\r\n316541143187acff1404b98659c6d9c8566107bd652310705214777f03ea10c8\r\n02f4186b532b3e33a5cd6d9a39d9469b8d9c12df7cb45dba6dcab912b03e3cb8\r\n5cd4003ccaa479734c7f5a01c8ff95891831a29d857757bbd7fe4294f3c5c126\r\nInfrastructure:\r\n103.27.109[.]157\r\n123.253.32[.]71\r\n146.70.149[.]36\r\nwww.openservername[.]com\r\nASEAN Affiliated Activity\r\nInfrastructure:\r\nai.nerdnooks[.]com\r\nweb.daydreamdew[.]net\r\n65.20.103[.]231\r\n139.59.46[.]88\r\n193.149.129[.]93\r\n192.153.57[.]98\r\nAdditional Resources\r\nIntruders in the Library: Exploring DLL Hijacking – Unit 42, Palo Alto Networks\r\nStately Taurus Continued – New Information on Cyberespionage Attacks against Myanmar Military Junta\r\n– CSIRT-CTI\r\nChinese APT Targeting Cambodian Government – Unit 42, Palo Alto Networks\r\nhttps://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/\r\nPage 5 of 6\n\nSource: https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/\r\nhttps://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/" ], "report_names": [ "chinese-apts-target-asean-entities" ], "threat_actors": [ { "id": "7c00086d-9535-4552-8201-1dd725e41b12", "created_at": "2023-04-26T02:03:03.128736Z", "updated_at": "2026-04-10T02:00:05.239152Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [ "LuminousMoth" ], "source_name": "MITRE:LuminousMoth", "tools": [ "PlugX", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "92049df8-7902-48e8-ad17-97398b923698", "created_at": "2022-10-25T16:07:23.81315Z", "updated_at": "2026-04-10T02:00:04.757082Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [], "source_name": "ETDA:LuminousMoth", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434800, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3344d1e764f626bbaea137ea4f88d43da88cb4d0.pdf", "text": "https://archive.orkl.eu/3344d1e764f626bbaea137ea4f88d43da88cb4d0.txt", "img": "https://archive.orkl.eu/3344d1e764f626bbaea137ea4f88d43da88cb4d0.jpg" } }