{ "id": "47f981ed-0d84-4201-adfc-78f1d01d04b2", "created_at": "2026-04-06T00:06:39.89147Z", "updated_at": "2026-04-10T13:12:54.840462Z", "deleted_at": null, "sha1_hash": "7204d73d38e67f901fd36a55aa51c2717920143f", "title": "Stately Taurus Targets the Philippines As Tensions Flare in the South Pacific", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 130953, "plain_text": "Stately Taurus Targets the Philippines As Tensions Flare in the\r\nSouth Pacific\r\nBy Unit 42\r\nPublished: 2023-11-17 · Archived: 2026-04-05 13:37:54 UTC\r\nExecutive Summary\r\nTensions between China and the Philippines have risen sharply over the past several months. In early August, a\r\nChinese Coast Guard vessel fired its water cannon at a Philippine vessel that was performing a resupply mission\r\nto the disputed Second Thomas Shoal in the Spratly Islands. Since then, the Philippines has announced joint\r\npatrols with the United States, and naval exercises with Australia. It has been reported that the Philippine Coast\r\nGuard has both terminated a hotline established with their Chinese counterparts and acted to remove Chinese\r\nbarriers placed near the disputed Scarborough Shoal.\r\nCoinciding with these real-world events, Unit 42 researchers observed three Stately Taurus campaigns during the\r\nmonth of August. These campaigns are assessed to have targeted entities in the South Pacific including the\r\nPhilippines government. The campaigns leveraged legitimate software including Solid PDF Creator and\r\nSmadavProtect (an Indonesian-based antivirus solution) to sideload malicious files. Threat actors also creatively\r\nconfigured the malware to impersonate legitimate Microsoft traffic for command and control (C2) connections.\r\nStately Taurus (aka Mustang Panda, Bronze President, Red Delta, Luminous Moth, Earth Preta and Camaro\r\nDragon) has been operating since at least 2012. It is assessed to be a Chinese advanced persistent threat (APT)\r\ngroup that routinely conducts cyberespionage campaigns. This group has historically targeted government entities\r\nand nonprofits, as well as religious and other non-governmental organizations across North America, Europe and\r\nAsia.\r\nPalo Alto Networks customers receive protection from the threats described in this article through Cortex\r\nXDR and WildFire malware analysis.\r\nCampaigns\r\nUnit 42 observed three Stately Taurus campaigns during the month of August.\r\nCampaign 1\r\nThe first campaign was observed on Aug. 1, 2023, when we identified a Stately Taurus malware package that was\r\nhosted for download on Google Drive. Threat operators configured this malware package as a ZIP file named\r\n230728 meeting minutes.zip. Upon extracting this archive, unsuspecting victims are presented with the view\r\nshown in Figure 1.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/\r\nPage 1 of 5\n\nFigure 1. ZIP archive contents.\r\nBy default, victims are presented with a visible application (20230728 meeting minutes.exe) that contains a PDF\r\nicon. This file is in fact a legitimate copy of Solid PDF Creator software that has been renamed. However, what\r\nvictims don’t see is that this folder contains a second hidden file named SolidPDFCreator.dll.\r\nAny attempt to execute the legitimate Solid PDF Creator software will result in the side-loading of the malicious\r\nDLL contained in the same folder. Once loaded, the malicious DLL then establishes a connection with\r\n45.121.146[.]113 to facilitate C2.\r\nWe assess that an entity associated with the Philippines government saw this first malware package as early as\r\nAug. 1, 2023.\r\nCampaign 2\r\nWe subsequently identified a second Stately Taurus malware campaign on Aug. 3, 2023. This malware package\r\nwas configured as a ZIP file named NUG's Foreign Policy Strategy.zip. In this case, the acronym “NUG” is\r\nbelieved to be a reference to the National Unity Government of Myanmar. Upon extracting this archive, victims\r\nare presented with a view that is similar to the first campaign, which is shown in Figure 2.\r\nFigure 2. ZIP archive contents.\r\nHere we see a legitimate copy of Solid PDF Creator software that has been renamed as NUG’s Foreign Policy\r\nStrategy.exe. We also see the hidden SolidPDFCreator.dll file that is side-loaded when the application is launched.\r\nHowever, what is deceiving about this sample is that this ZIP file also contains additional files hidden in the path:\r\nNUG’s Foreign Policy Strategy\\#\\#\\#\\#\\#\\#\\#\\#\\#\\#\\#\\\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/\r\nPage 2 of 5\n\nAfter traversing 11 folders named #, we identified three additional files, shown in Figure 3.\r\nFigure 3. Contents of # folder.\r\nIn terms of process flow, upon executing the visible NUG’s Foreign Policy Strategy.exe binary, the threat side-loads SolidPDFCreator.dll. This DLL then copies these three files (errordetails, SmadavProtect32.exe and\r\nSmadhook32c.dll) to the victim's home directory and establishes a registry key\r\n(HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AHealthDB) to call\r\nSmadavProtect32.exe when a user logs on.\r\nSmadavProtect32.exe is a legitimate and benign copy of an Indonesian antivirus program called SmadAV. Upon\r\nlogin, SmadavProtect32.exe will load the malicious DLL (SmadHook32c.dll) and then the malware (errordetails)\r\ncontained in the same folder. Once running, the malware is configured to call home to 45.121.146[.]113 for C2.\r\nCampaign 3\r\nThe third campaign is structurally identical to the first campaign, and it was created on Aug. 16, 2023. However,\r\nthe ZIP and EXE filenames use Labour Statement.zip instead of 230728 meeting minutes from the first example.\r\nUpon extracting the contents of the ZIP file, victims are presented with two files. The first file, called Labour\r\nStatement.exe, is a benign copy of Solid PDF Creator software. The second file is a malicious DLL named\r\nSolidPDFCreator.dll. Following execution of the application, the malicious DLL is loaded, and it establishes a\r\nconnection to 45.121.146[.]113 for C2 consistent with the previous two campaigns.\r\nC2 Infrastructure\r\nThe IP address 45.121.146[.]113 was first associated with Stately Taurus during a series of campaigns launched in\r\nJune 2023. We assess that the actors continued to leverage this infrastructure throughout the month of August\r\n2023. However, one interesting aspect of the C2 activity is that the actors attempted to disguise it as legitimate\r\nMicrosoft traffic, as shown in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/\r\nPage 3 of 5\n\nFigure 4. Malware POST statement.\r\nSpecifically, in the POST statements the malware sets the host field to wcpstatic.microsoft[.]com despite the\r\ntraffic being directed to an IP address in Malaysia that has no relation to any legitimate Microsoft services.\r\nAdditionally, in monitoring traffic associated with the C2 server, we identified multiple connections between Aug.\r\n10 and Aug. 15, 2023, originating from Philippines government infrastructure. Given traffic to the known\r\nmalicious C2 server, we assess a Philippines government entity was likely compromised during these campaigns,\r\nat least for the five-day period in August 2023.\r\nConclusion\r\nDuring the month of August, Stately Taurus actors launched at least three campaigns targeting entities in the South\r\nPacific. We assess that at least one of these campaigns directly targeted the Philippines government and that the\r\nactors were successful in their attempts to compromise a government entity for five days in August.\r\nStately Taurus continues to demonstrate its ability to conduct persistent cyberespionage operations as one of the\r\nmost active Chinese APTs. These operations target a variety of entities globally that align with geopolitical topics\r\nof interest to the Chinese government. We encourage organizations to leverage our findings to inform the\r\ndeployment of protective measures to defend against this threat group.\r\nProtection Recommendations\r\nTo defend against the threats described in this blog, Palo Alto Networks recommends organizations employ the\r\nfollowing capabilities:\r\nNetwork Security: Delivered through a Next-Generation Firewall (NGFW) configured with machine\r\nlearning-enabled, and best-in-class, cloud-delivered security services. This includes, for example, threat\r\nprevention, URL filtering, DNS security and a malware prevention engine capable of identifying and\r\nblocking malicious samples and infrastructure.\r\nEndpoint Security: Delivered through an XDR solution that can identify malicious code through the use of\r\nadvanced machine learning and behavioral analytics. This solution should be configured to act on and\r\nblock threats in real time as they are identified.\r\nSecurity Automation: Delivered through an XSOAR or XSIAM solution capable of providing SOC\r\nanalysts with a comprehensive understanding of the threat derived by stitching together data obtained from\r\nendpoints, network, cloud and identity systems.\r\nProtections and Mitigations\r\nPalo Alto Networks customers receive protection from the threats discussed above through the following products:\r\nAdvanced WildFire cloud-delivered malware analysis service accurately identifies the malware described\r\nin this blog as malicious.\r\nCortex XDR prevents the execution of known malware and also prevents the execution on unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis module.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/\r\nPage 4 of 5\n\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nStately Taurus Samples\r\nbebde82e636e27aa91e2e60c6768f30beb590871ea3a3e8fb6aedbd9f5c154c5\r\n24c6449a9e234b07772db8fdb944457a23eecbd6fbb95bc0b1398399de798584\r\nba7c456f229adc4bd75bfb876814b4deaf6768ffe95a03021aead03e55e92c7c\r\n969b4b9c889fbec39fae365ff4d7e5b1064dad94030a691e5b9c8479fc63289c\r\n3597563aebb80b4bf183947e658768d279a77f24b661b05267c51d02cb32f1c9\r\nd57304415240d7c08b2fbada718a5c0597c3ef67c765e1daf4516ee4b4bdc768\r\n54be4a5e76bdca2012db45b1c5a8d1a9345839b91cc2984ca80ae2377ca48f51\r\n2b05a04cd97d7547c8c1ac0c39810d00b18ba3375b8feac78a82a2f9a314a596\r\nInfrastructure\r\n45.121.146[.]113\r\nhxxps://drive.google[.]com/uc?id=1QLIQXP-s42TtZsONsKLAAtOr4Pdxljcu\r\nAdditional Resources\r\nCyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus – Unit 42, Palo\r\nAlto Networks\r\nStealthy USB - Check Point\r\nChinese Threat Actors Targeting Europe in SmugX Campaign - Checkpoint\r\nSource: https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/" ], "report_names": [ "stately-taurus-targets-philippines-government-cyberespionage" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2ff375ef-7859-4d44-9399-06c9d1d9359c", "created_at": "2023-07-11T02:00:10.063244Z", "updated_at": "2026-04-10T02:00:03.367017Z", "deleted_at": null, "main_name": "SmugX", "aliases": [], "source_name": "MISPGALAXY:SmugX", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433999, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7204d73d38e67f901fd36a55aa51c2717920143f.pdf", "text": "https://archive.orkl.eu/7204d73d38e67f901fd36a55aa51c2717920143f.txt", "img": "https://archive.orkl.eu/7204d73d38e67f901fd36a55aa51c2717920143f.jpg" } }