{ "id": "1b7f5bc3-954f-4451-983b-436ab89670b4", "created_at": "2026-04-06T00:11:55.490333Z", "updated_at": "2026-04-10T03:36:33.636227Z", "deleted_at": null, "sha1_hash": "a7efa41fdf79c81fae7273dd6f992203b13d4d4c", "title": "Mustang Panda’s PlugX new variant targetting Taiwanese government and diplomats", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 763205, "plain_text": "Mustang Panda’s PlugX new variant targetting Taiwanese\r\ngovernment and diplomats\r\nPublished: 2023-12-11 · Archived: 2026-04-05 17:53:36 UTC\r\nThe Lab52 team has analysed a cyber campaign in which attackers deploy a new variant of the PlugX malware.\r\nBoth the infection chain and the various artefacts used in the cyberattack share multiple similarities with the\r\nSmugX campaign, attributed to threat actors Red Delta and Mustang Panda, allegedly linked to the Chinese\r\ngovernment.\r\nThis time, the actors deploy an MSI file on victim machines containing a legitimate executable (OneNotem.exe),\r\na malicious DLL (msi.dll) and a DAT file (NoteLogger.dat). The legitimate executable loads via DLL side-loading the malicious DLL and the malicious DLL decrypts and loads the DAT file into memory, which is the\r\nPlugX malware. However, this new campaign shows variations compared to previous campaigns. The main\r\ndifferences are:\r\nThe malicious DLL is written in the Nim programming language.\r\nThis new variant uses its own implementation of the RC4 algorithm to decrypt PlugX, unlike previous\r\nversions that use the Windows Cryptsp.dll library.\r\nKillchain\r\nThe installer file 45dd12.msi contains the files msi.dll, NoteLogger.dat and OneNotem.exe and, on user\r\nexecution, it copies them to the directory “C:\\UsersersuserAppData“.\r\nhttps://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\r\nPage 1 of 9\n\nRight after, the MSI file copies OneNotem.exe to one of the following folders:\r\nC:\\Users\\\u003cusername\u003e\\VirtualFile\r\nC:\\Users\\Public\\VirtualFile\r\nC:\\Users\\\u003cusername\u003e\\SamsungDriver\r\nC:\\Users\\Public\\SamsungDriver\r\nC:\\Users\\Public\\SecurityScan\r\nIn order to obtain persistence on the infected machine, the registry key “HKEY_LOCAL_MACHINE/\r\nSOFTWARE/ SOFTWARE/ Microsoft/ Windows/ CurrentVersion/ RunOneNote Update” is added, which\r\nexecutes the legitimate OnesNotem.exe binary followed by a numeric parameter.\r\nThe malware then creates the process OneNotem.exe that will first contact with www.google.com to check if the\r\ncomputer has internet connection and then contacts the C2 domains ivibers[.]com and meetvibersapi[.]com. The\r\nOneNotem.exe process also creates a mutex to prevent the execution of a second instance.\r\nhttps://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\r\nPage 2 of 9\n\nMoving forward, Lab52’s team has analysed each of the various artefacts contained in the MSI file to discern their\r\nspecific roles or purposes.\r\nMSI.DLL\r\nThis DLL contains two malicious functions, the NimMain function and the MsiProvideQualifiedComponentW\r\nfunction.\r\nThe DllMain function has been modified to add the call to NimMain which will be executed when the library is\r\nloaded by the OneNotem.exe process.\r\nThis will load the functions necessary for the execution of the malware. This technique is used to reduce the\r\nnumber of exported functions to make the analysis and possible detection of the malicious library more difficult.\r\nhttps://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\r\nPage 3 of 9\n\nWhen the legitimate executable calls the MsiProvideQualifiedComponentW function it will load the\r\nNoteLogger.dat file with the CreateFileW function.\r\nThe malware will then copy the contents to a memory section and use the RC4 algorithm and the key\r\nEtFOWV4hDJf6DA6W to decrypt a DLL contained in the NoteLogger.dat file, which is a PlugX malware\r\nvariant.\r\nhttps://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\r\nPage 4 of 9\n\nFinally, the DLL will be executed at location 0x00 in the memory page where it resides using the\r\nEnumSystemGeoID callback.\r\nNoteLogger.dat\r\nThis file contains an encrypted malicious DLL, a PlugX variant, containing in position 0x00 a small shellcode\r\nthat will call the only function it exports. The execution of this shellcode is indispensable for a correct execution\r\nof the malicious DLL.\r\nhttps://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\r\nPage 5 of 9\n\nThe malware will decrypt the configuration, which is located in the “.data” section, similar to other samples from\r\nthe SmugX campaign.\r\nThe following is the decipher configuration.\r\nhttps://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\r\nPage 6 of 9\n\n{\r\n \"str_one\": \"\",\r\n \"str_two\": \" 2txQe5PD\",\r\n \"campaign_id\": \"tw\",\r\n \"document_name\": \"郭台銘選擇賴佩霞為總統副手深層考量.pdf\",\r\n \"ips\": [\r\n {\r\n \"ip\": \" ivibers.com\",\r\n \"port\": 443,\r\n \"is_https\": 1\r\n },\r\n {\r\n \"ip\": \" ivibers.com\",\r\n \"port\": 443,\r\n \"is_https\": 1\r\n },\r\n {\r\n \"ip\": \" meetvibersapi.com \",\r\n \"port\": 443,\r\n \"is_https\": 1\r\n }\r\n ]\r\nDecoy PDF\r\nThe name and content of the lure used by the attackers seem to indicate that the targets of this campaign are no\r\ndifferent from those seen so far in the SmugX campaign (diplomats and government entities). The lure uses the\r\nupcoming Taiwanese presidential election in January 2024 to capture the interest of its victims. The document\r\nrefers to Terry Gou’s announcement in September this year declaring his independent candidacy for Taiwan’s\r\npresidential election, with Lai Peixia as his right-hand man.\r\nTerry Gou – who was founder and CEO of the Taiwanese multinational electronic components company -one of\r\nthe largest suppliers to the United States, Europe and Japan and part of the semiconductor manufacturing cluster\r\nalong with TSMC, or MediaTek- is running to bring down the current Taiwanese government, to reduce\r\ngeopolitical tension and to stabilise the situation.\r\nhttps://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\r\nPage 7 of 9\n\nLai Peixia is a singer, activist and politician with dual US-Taiwanese citizenship known for defending human\r\nrights. It seems that the attackers have used a decoy that addresses an event of high interest to political, diplomatic\r\nand governmental figures in Taiwan, as the presentation of the presidential candidacy of Terry Gou and Lai Peixia,\r\nthat is particularly relevant because of the links these two political figures have with the Western bloc, the effect\r\nthat their figure as president could have on Taiwan’s trade relations with China, the United States, Europe and\r\nJapan and their impact on the technology race in both blocs.\r\nDecoy PDF: Kuo’s in-depth considerations for choosing Lai Peixia as presidential VP.pdf\r\nIndicators of Compromise\r\nhttps://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\r\nPage 8 of 9\n\nc7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1\r\n651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859\r\n908ff3a80ef065ab4be1942e0d41583903f6aac02d97df6b4a92a07a633397a8\r\nc6ef220d0c6e9015bdfb7977ff15e7f2c4c0dbfcd3b28ffb3066fe6d21251322\r\n8af3fc1f8bd13519d78ee83af43daaa8c5e2c3f184c09f5c41941e0c6f68f0f7\r\n45dd12.msi\r\nmsi.dll\r\nNoteLogger.dat\r\n郭台銘選擇賴佩霞為總統副手深層考量.pdf\r\nivibers[.]com\r\nmeetvibersapi[.]com\r\nSource: https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\r\nhttps://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/" ], "report_names": [ "mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats" ], "threat_actors": [ { "id": "2ff375ef-7859-4d44-9399-06c9d1d9359c", "created_at": "2023-07-11T02:00:10.063244Z", "updated_at": "2026-04-10T02:00:03.367017Z", "deleted_at": null, "main_name": "SmugX", "aliases": [], "source_name": "MISPGALAXY:SmugX", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434315, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a7efa41fdf79c81fae7273dd6f992203b13d4d4c.pdf", "text": "https://archive.orkl.eu/a7efa41fdf79c81fae7273dd6f992203b13d4d4c.txt", "img": "https://archive.orkl.eu/a7efa41fdf79c81fae7273dd6f992203b13d4d4c.jpg" } }