{ "id": "3e8d43e6-4781-4a7f-bb03-fedf1d6021c4", "created_at": "2026-04-06T00:10:43.011789Z", "updated_at": "2026-04-10T03:36:33.827271Z", "deleted_at": null, "sha1_hash": "4ddcb89079acc7ed4519fcd80e835b3ec35edfc5", "title": "Myanmar – Multi-stage malware attack targets elected lawmakers – Qurium Media Foundation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 314583, "plain_text": "Myanmar – Multi-stage malware attack targets elected lawmakers\r\n– Qurium Media Foundation\r\nArchived: 2026-04-05 16:35:21 UTC\r\n12 April 2021\r\n(Updated April 29, 2021)\r\nThe 11th of March 2021, a mail containing a targeted attack was sent to a member of the Committee\r\nRepresenting Pyidaungsu Hluttaw (CRPH). The CRPH is formed by elected lawmakers who were\r\nprevented from taking seats in the Union Parliament by the military coup of the 1st of February 2021. The\r\nPyidaungsu Hluttaw is Myanmar’s Union Parliament.\r\nThe malicious mail sent to CRPH contained a Sender and Subject customized for the victim, and the mail body\r\nincluded a link to a document in a Google Drive of the form hxxps://drive.google.com/file/…\r\nThe mail included a link to a rar file located in a Google Drive account.\r\nhttps://www.qurium.org/alerts/targeted-malware-against-crph/\r\nPage 1 of 3\n\nThe RAR compressed file hosted in the Google Drive contained a .lnk file with the name 2021-03-11.lnk\r\nOnce executed the following files are dropped.\r\n0639b0a6f69b3265c1e42227d650b7d1 aaa.exe\r\n7f0079d2ef1fca0b4bf0789aad3d2b04 gtgc.bat\r\n8b68dc5dbb99af7de3312771e828b6c8 gtgc.js\r\n332a4f864b1f7b1e166edb5d9b47e119 gtgc.lnk\r\n155de7d464125b8c35b22dae37428aba SmadavProtect32.exe\r\n37d1df5648c2e499b23b4228743f0318 SmadHook32c.dll\r\nThese files are the result of the execution of the .lnk bundle.\r\nThe malware drops a legitimate copy of SmadavProtect32, a popular anti-virus installed in brand new computers\r\nin the country.\r\nTo avoid anti-virus detection the malware executes the anti-virus SmadavProtect32 but it also provides a\r\ndynamic library with it (SmadHook32c.dll). The DLL is loaded when SmadavProtect32 is executed providing to\r\nthe malware the functionality for the next stage of infection.\r\nThe next stage is a HTTP connection to IP address 95.217.1{.}81. to request\r\nhttp://95.217.1{.}81/maps/overlayBFPR where a binary encrypted payload is downloaded.\r\n725f28750887fbe4652c39ceeecdac21 payload\r\nThe methods and Command and Control are associated to activities performed by the Chinese APT Group\r\n“Mustang Panda“.\r\nhttps://www.qurium.org/alerts/targeted-malware-against-crph/\r\nPage 2 of 3\n\nThe same Command and Control (C2) was used in another targeted attack in December 2020,\r\ncarried out by Mustang Panda (Credit: Virustotal Intelligence).\r\nUpdate April 2021\r\nDuring the last week of April 2021, a new email was sent to a mailing list, the mail contained a link to Google\r\nDrive with the file: CEC List \u0026 CRPH (Meeting minutes).rar\r\nThe compressed RAR file contained two files\r\n1d281c5353d1b12afb9c4a4ae61e5675 CEC List \u0026 CRPH (Meeting minutes) .exe\r\nac18992de804cb4bc9e6aa7f7e3ad08e Acrobat.dll\r\nThe first file is legitimate copy of exch_acrobat.exe and the second file is a malicious DLL library included by the\r\nattacker. As in the previous attack the DLL library is used to “side-load” the malware.\r\nTo ensure that the malware remains active in the compromised system, it will include a new schedule task\r\n(MicrosoftCorp.xml) pointing to C:\\Users\\Public\\Libraries\\ACMguid\\Acrobat.exe and will add a new registry key\r\nin HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ACMguid\r\nIn a second stage of infection the malware connects to 65.21.111{.}255/maps/overlayBFPR to download a Cobalt\r\nStrike beacon. A great video explaining Cobaltstrike capabilities is available here\r\nIn conclusion, this attack reassembles the techniques used by the previous loader described in this article and\r\nsuggests that the same attacker is behind the malware.\r\nSource: https://www.qurium.org/alerts/targeted-malware-against-crph/\r\nhttps://www.qurium.org/alerts/targeted-malware-against-crph/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.qurium.org/alerts/targeted-malware-against-crph/" ], "report_names": [ "targeted-malware-against-crph" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434243, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4ddcb89079acc7ed4519fcd80e835b3ec35edfc5.pdf", "text": "https://archive.orkl.eu/4ddcb89079acc7ed4519fcd80e835b3ec35edfc5.txt", "img": "https://archive.orkl.eu/4ddcb89079acc7ed4519fcd80e835b3ec35edfc5.jpg" } }