{ "id": "8935f5e4-658b-4f39-864e-e45c8c9cf478", "created_at": "2026-04-15T02:23:10.573472Z", "updated_at": "2026-04-18T02:22:32.95564Z", "deleted_at": null, "sha1_hash": "a394422ecb58c671d173ba585c9aed047d7462f4", "title": "Check Point Research reveals a malicious firmware implant for TP-Link routers, linked to Chinese APT group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47411, "plain_text": "Check Point Research reveals a malicious firmware implant for\r\nTP-Link routers, linked to Chinese APT group\r\nBy etal\r\nPublished: 2023-05-16 · Archived: 2026-04-15 02:05:54 UTC\r\nHighlights\r\nCheck Point Research (CPR) exposes a malicious firmware implant for TP-Link routers which allowed\r\nattackers to gain full control of infected devices and access compromised networks while evading\r\ndetection.\r\nCPR attributes the attacks to a Chinese state-sponsored APT group dubbed “Camaro Dragon”. The group\r\noverlaps with activity previously attributed to Mustang Panda.\r\nThe deployment method of the firmware images remains uncertain, as does its usage and involvement in\r\nactual intrusions.\r\nExecutive Summary\r\nRecently, Check Point Research investigated a sequence of targeted cyberattacks against European foreign affairs\r\nentities and attributed them to a Chinese state-sponsored Advanced Persistent Threat (APT) group dubbed\r\n“Camaro Dragon” by CPR. This activity has significant infrastructure overlaps with activities publicly linked to\r\n“Mustang Panda”. Our investigation discovered a malicious firmware implant created for TP-Link routers\r\ncontaining various harmful components, including a customized backdoor named “Horse Shell.” This backdoor\r\nenabled attackers to take full control of the infected device, remain undetected, and access compromised networks.\r\nCPR’s thorough analysis exposed these malicious tactics and provides a deep dive analysis\r\nThis blog post will delve into the intricate details analyzing the “Horse Shell” router implant and  share our\r\ninsights into the implant’s functionality and compare it to other router implants associated with other Chinese\r\nstate-sponsored groups. By examining this implant, we hope to shed light on the techniques and tactics utilized by\r\nthe Camaro Dragon APT group to provide a better understanding of how threat actors utilize malicious firmware\r\nimplants in network devices for their attacks.\r\nThe Attack\r\nOur investigation of the ‘Camaro Dragon’ activity was of a campaign targeted mainly at European foreign affairs\r\nentities. However, even though we found Horse Shell on the attacking infrastructure, we do not know who the\r\nvictims of the router implant are.\r\nLearning from history, router implants are often installed on arbitrary devices with no particular interest, with the\r\naim to create a chain of nodes between the main infections and real command and control. In other words,\r\nhttps://blog.checkpoint.com/security/check-point-research-reveals-a-malicious-firmware-implant-for-tp-link-routers-linked-to-chinese-apt-group/\r\nPage 1 of 3\n\ninfecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only\r\na means to a goal.\r\nWe are unsure how the attackers managed to infect the router devices with their malicious implant. It is likely that\r\nthey gained access to these devices by either scanning them for known vulnerabilities or targeting devices that\r\nused default or weak and easily guessable passwords for authentication. Our findings not only contribute to a\r\nbetter understanding of the Camaro Dragon group and their toolset, but also to the broader cybersecurity\r\ncommunity, providing crucial knowledge for understanding and defending against similar threats in the future.\r\nNot only TP-Link\r\nThe discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices\r\nand vendors may be at risk.\r\nFurthermore, our discovery of the firmware-agnostic nature of the implanted components indicates that a wide\r\nrange of devices and vendors may be at risk. We hope that our research will contribute to improving the security\r\nposture of organizations and individuals alike. In the meantime, remember to keep your network devices updated\r\nand secured, and beware of any suspicious activity on your network\r\nProtecting Your Network\r\nThe discovery of Camaro Dragon’s malicious implant for TP-Link routers highlights the importance of taking\r\nprotective measures against similar attacks. Here are some recommendations for detection and protection:\r\nSoftware Updates\r\nRegularly updating the firmware and software of routers and other devices is crucial for preventing\r\nvulnerabilities that attackers may exploit.\r\nDefault Credentials\r\nChange the default login credentials of any device connected to the internet to stronger passwords and use\r\nmulti-factor authentication whenever possible. Attackers often scan the internet for devices that still use\r\ndefault or weak credentials.\r\nUse Check Point Products\r\nCheck Point’s network security solutions provide advanced threat prevention and real-time network\r\nprotection against sophisticated attacks like those used by the Camaro Dragon APT group. This includes\r\nprotection against exploits, malware, and other advanced threats. Check Point’s Quantum IoT Protect\r\nautomatically identifies and maps IoT devices and assesses the risk, prevents unauthorized access to and\r\nfrom IoT/OT devices with zero-trust profiling and segmentation, and blocks attacks against IoT devices.\r\nManufacturers can do better to secure their devices against malware and cyberattacks. New regulations in the US\r\nand in Europe require vendors and manufacturers to ensure that devices do not pose risks to users and to include\r\nsecurity features inside the device.\r\nCheck Point IoT Embedded with Nano Agent® provides on-device runtime protection enabling connected devices\r\nwith built-in firmware security. The Nano Agent® is a customized package which provides the top security\r\ncapabilities and prevents malicious activity on routers, network devices and other IoT devices. Check Point IoT\r\nhttps://blog.checkpoint.com/security/check-point-research-reveals-a-malicious-firmware-implant-for-tp-link-routers-linked-to-chinese-apt-group/\r\nPage 2 of 3\n\nNano Agent® has advanced capabilities of memory protection, anomaly detection, and control flow integrity. It\r\noperates inside the device, and serves as a frontline to secure IoT devices.\r\nSource: https://blog.checkpoint.com/security/check-point-research-reveals-a-malicious-firmware-implant-for-tp-link-routers-linked-to-chinese-apt-group/\r\nhttps://blog.checkpoint.com/security/check-point-research-reveals-a-malicious-firmware-implant-for-tp-link-routers-linked-to-chinese-apt-group/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.checkpoint.com/security/check-point-research-reveals-a-malicious-firmware-implant-for-tp-link-routers-linked-to-chinese-apt-group/" ], "report_names": [ "check-point-research-reveals-a-malicious-firmware-implant-for-tp-link-routers-linked-to-chinese-apt-group" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-18T02:00:03.393464Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "LuminousMoth", "TANTALUM", "Twill Typhoon", "BRONZE PRESIDENT", "Earth Preta", "Polaris", "HoneyMyte", "Red Lich", "TEMP.HEX", "TA416", "Stately Taurus" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-18T02:00:04.60568Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-18T02:00:03.676116Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-18T02:00:04.735386Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-18T02:00:05.145684Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1776219790, "ts_updated_at": 1776478952, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a394422ecb58c671d173ba585c9aed047d7462f4.pdf", "text": "https://archive.orkl.eu/a394422ecb58c671d173ba585c9aed047d7462f4.txt", "img": "https://archive.orkl.eu/a394422ecb58c671d173ba585c9aed047d7462f4.jpg" } }