{ "id": "d64a7478-aa27-4896-9c77-d29501c51353", "created_at": "2026-04-06T00:21:02.548334Z", "updated_at": "2026-04-10T03:37:23.956185Z", "deleted_at": null, "sha1_hash": "c7b2ef2c10ae018b5a9095f72147bc489922b96c", "title": "Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 14775184, "plain_text": "Toneshell Backdoor Used to Target Attendees of the IISS Defence\r\nSummit\r\nPublished: 2024-09-03 · Archived: 2026-04-02 12:26:47 UTC\r\nThe ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta,\r\namong other monikers), has been consistently deployed against government organizations, mainly in Southeast and East\r\nAsia, for cyber espionage.\r\nRecently, this malware has resurfaced, likely targeting attendees of the 2024 International Institute for Strategic\r\nStudies (IISS) Defence Summit in Prague.\r\nThis campaign illustrates how cyber espionage and international strategy often intertwine as nations seek to infiltrate\r\nsensitive security and defense discussions to gain a strategic edge amid global conflicts, from the Russia-Ukraine war to\r\nrising tensions in the South China Sea.\r\nWhile combing through files on Hatching Triage, one name stood out, prompting us to investigate further and share our\r\nfindings in this article.\r\nThis blog post will explore our findings, including the malware's execution techniques, capabilities, and the command\r\nand control (C2) infrastructure that facilitates its operations.\r\nThe IISS Defence Summit: An Attractive Target for Cyber Espionage\r\nThe IISS Prague Defence Summit, scheduled for November 8-10, 2024, is a new event modeled after the successful\r\nShangri-La and Manama Dialogues. The summit is poised to become a central forum for discussing defense and security\r\nwithin the Euro-Atlantic region.\r\nAttendees include senior political leaders, defense ministers, policymakers, and industry executives from Europe, the\r\nUnited States, and allied nations. Discussions include defense capacity-building, strategic stability, and emerging threats.\r\nThis summit is a prime target for cyber espionage due to the participation of high-level officials discussing sensitive\r\nissues like military strategy, defense cooperation, and responses to geopolitical tensions. Accessing these discussions\r\noffers adversaries a strategic edge by exposing major global players' defense plans and policies.\r\nFile Discovery In Triage \u0026 ANY.RUN\r\nDuring routine analysis on Hatching Triage, we discovered an executable file, \"IISS PRAGUE DEFENCE SUMMIT\r\n(8 – 10 November 2024 ).exe,” uploaded on 16 August. Given its relevance to an upcoming high-profile event, we\r\ndecided to investigate further.\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 1 of 14\n\nFigure 1: Hatching Triage Sandbox Analysis of suspicious EXE (Source/Link: Triage)\r\nTo further solidify our suspicions, a review of the PCAP containing network traffic confirmed the malware\r\ncommunicating with its C2 server using the familiar magic bytes 17 03 03.\r\nThese bytes often appear in posts and reports as indicators of Toneshell and PubLoad activity.\r\nWe found the same executable file on ANY.RUN, where it exhibited similar TTPs.\r\nFigure 2: ANY.RUN analysis of the IISS-themed executable. (Source/Link: ANY.RUN)\r\nDecoy Document Analysis\r\nBefore diving into the malware itself, let’s first examine the decoy PDF used in this attack. Upon extracting the archive,\r\nthe user is presented with two folders: Annex 1 and Annex 2.\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 2 of 14\n\nThe first folder contains the executable file mentioned above, while the second, contains the document seen in Figure 3\r\ntitled “Annex 2 - IISS PRAGUE DEFENCE SUMMIT (8 – 10 November 2024) - Copy.pdf.”\r\nFigure 3: Document posing as an agenda for the upcoming IISS Defence Summit\r\nThe PDF is an exact copy of a legitimate document available on the IISS official website, with only its name altered.\r\nThis tactic is designed to reassure the target by displaying a genuine agenda for the summit, reducing suspicion while the\r\nmalware silently operates in the background.\r\nUncovering Malware Behavior and Execution\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 3 of 14\n\nAs previously mentioned, the extracted ZIP file reveals two folders. We’ll now turn our attention to the suspicious file\r\nthat caught our eye.\r\nFigure 4: Annex 1 \u0026 2 folders after extracting the zip contents\r\nInside the Annex 1 folder (Figure 5), we see a file name matching that of what we found in Triage. For the keen-eyed,\r\nyou may have noticed the file type is \"Shortcut to MS-DOS Program,\" which suggests it is a program information file\r\n(PIF).\r\nFigure 5: PIF-file masquerading as IISS agenda file\r\nPIF files are shortcuts designed to provide metadata like a config file for MS-DOS programs. However, threat actors can\r\nuse them as an alternative to .exe files to execute malicious code.\r\nThe PIF file acts as a dropper, which we’ll soon see, and is signed by the “Hefei Nora Network Technology Co.” A\r\nscreenshot of the code signing certificate is below.\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 4 of 14\n\nFigure 6: Codesigning certificate used for the malicious PIF-file\r\nAnalyzing the file in VirusTotal reveals the PIF-file has two aliases: fhbemb.exe and SFFWallpaperCore.exe.\r\nThis file also contains a PDB path of:\r\nG:\\CLIENT\\fhbemb\\src\\bin\\Release_NL\\fhbemb.pdb\r\nIn our research, we were unable to locate information suggesting either of the above file names (fhbemb.exe and\r\nSFFWallpaperCore.exe) are legitimate Windows programs.\r\nAn April 2024 blog post by secrss uncovered a suspected APT-Q-27 (aka Golden Eye Dog, Dragon Breath) operation\r\nthat also used ‘fhbemb.exe’ to side load ‘libemb.dll’ to execute a modified version of Gh0st RAT.\r\nSophos has also previously reported similar DLL sideloading techniques by this group.\r\nFigure 7 illustrates the malware execution flow as detailed in the Secrss post.\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 5 of 14\n\nFigure 7: Secrss attack process diagram using similarly named files (Source: Secrss)\r\nReturning to the malicious PIF, upon execution, it checks for the presence of the FFWallpaperCore directory in\r\nC:\\ProgramData. If the directory is absent, it drops SFFWallpaperCore.exe and libemb.dll, likely to verify whether the\r\nsystem has already been compromised.\r\nPersistence is established by adding a registry run key and creating a scheduled task.\r\nRegistry run key:\r\ncmd.exe /C schtasks /F /Create /TN FFWallpaperEmbCore /SC minute /MO 6 /TR\r\n\"C:\\ProgramData\\FFWallpaperCore\\SFFWallpaperCore.exe FFWallpaper\"\r\nCreation of scheduled task\r\nschtasks /F /Create /TN FFWallpaperEmbCore /SC minute /MO 6 /TR\r\n\"C:\\ProgramData\\FFWallpaperCore\\SFFWallpaperCore.exe FFWallpaper\"\r\nThe overall execution flow (Figure 8) follows a rather standard pattern commonly seen in malware operations.\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 6 of 14\n\nFigure 8: PIF event flow (Created using Lucidchart)\r\nlibemb.dll, written in C++, is signed by the same company as the EXE, but, as shown in Figure 9, the certificate is not\r\ntrusted.\r\nFigure 9: Untrusted codesigning certificate for libemb.dll\r\nThe DLL contains unique debug strings, which have become a hallmark of Mustang Panda malware. Within the file, we\r\nfound two references to Twitter/X accounts: @Rainmaker1973 and @techyteachme, the latter belonging to Zack Allen,\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 7 of 14\n\nwho also runs a great Detection Engineering newsletter if you’re interested.\r\nFigure 10: Unique strings including the X account name for Zack Allen. Also notice the string before “buitengebieden,”\r\nwhich is Dutch for “outlying areas.”\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 8 of 14\n\nFigure 11: Debug strings for X user Rainmaker1973\r\nA network connection is established with the C2 server at 103.27.108.]14 on port 443. The traffic uses raw TCP but\r\nmimics TLS to evade detection.\r\nThis approach has been observed in multiple reports on Mustang Panda activity, specifically linked to ToneShell and\r\nPubload malware.\r\nBelow is a PCAP screenshot from the initial communication with the C2 server.\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 9 of 14\n\nFigure 12: Request header containing the magic bytes “17 03 03”\r\nNetwork Infrastructure\r\nThe command and control server is hosted on Topway Global Limited’s ASN in Hong Kong, with ports 80, 443, and\r\n3389 accessible. Interestingly, the IP briefly presented a self-signed RDP certificate at the start of August, carrying the\r\ncommon name “WIN-USLKI5BA743.”\r\nUsing RDP certificates has been a reliable method for tracking Mustang Panda’s infrastructure in the past, but recent\r\nvariations suggest the threat actors are aware of this detection technique and are adjusting accordingly.\r\nThis particular certificate was issued on Wednesday, August 25, 2021, at 03:36:30—a detail that may prove significant\r\nin our investigation.\r\nBelow is a screenshot from Hunt showing this certificate, along with historical TLS data, to aid in identifying related\r\nactivity.\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 10 of 14\n\nFigure 13: SSL History data in Hunt showing the short-lived RDP certificate\r\nWith no additional domains or certificates to pivot on, we turn to Hunt's Advanced Search feature to identify servers\r\nusing the same certificate, focusing specifically on the 'Not Before' date and time.\r\nBy applying the query shown in Figure 14, we narrowed the results to just seven servers—suggesting a potential link to\r\nthe associated infrastructure. Notably, three of these servers were first observed only a few days ago, indicating recent\r\nand potentially active use at the time of writing.\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 11 of 14\n\nFigure 14: Results of the search for servers hosting RDP certificates bearing the same not before date\r\nIPs sharing the same certificate:\r\nIP Address ASN Location\r\n43.246.209.]139 Topway Global Limited HK\r\n45.115.236.]142 Topway Global Limited HK\r\n45.115.236.]143 Topway Global Limited HK\r\n103.27.109.]52 Topway Global Limited HK\r\n103.27.109.]206 Topway Global Limited HK\r\n103.43.16.]65 Topway Global Limited HK\r\n137.220.251.]44 Topway Global Limited JP\r\nAs shown in the table above, nearly all the IP addresses reside on the same ASN as the C2 server, with one exception.\r\nAdditionally, the proximity of these IPs to each other strengthens our assessment that these servers may be controlled by\r\nthe same threat actor or group and hosted within a similar or adjacent range to maintain operational control and\r\nflexibility.\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 12 of 14\n\nNotably, the C2 IP has not yet been flagged as malicious by any vendors on VirusTotal.\r\nFinal Thoughts\r\nWhile sandbox runs and dynamic analysis of the malware did not reveal the specific objectives of the threat actors once\r\nthey gained access to infected systems, we can hypothesize that targeting a defense summit suggests an intent to gather\r\nintelligence on sensitive discussions.\r\nTo mitigate such threats, Hunt recommends conducting regular phishing awareness exercises for all users, closely\r\nverifying email senders and domain names before downloading files, and deploying an endpoint detection and response\r\nsolution to identify malicious execution patterns.\r\nIf you’d like to stay ahead of threats like those uncovered in this post, request a demo today to see how our tools can\r\nenhance your defenses.\r\nNetwork Observables\r\nIP Address ASN Ports Certificate Common Name Notes\r\n103.27.108.]14 Topway Global Limited 80, 443, 3389 WIN-USLKI5BA743 C2\r\nHost Observables\r\nFile Name SHA-256 Hash Notes\r\nIISS Prague Defence\r\nSummit 2024.zip\r\n1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34\r\nLure\r\ndocument\r\nAnnex 1 - IISS\r\nPRAGUE DEFENCE\r\nSUMMIT (8 – 10\r\nNovember 2024).pif\r\n057fd248e0219dd31e1044afb7bc77c5f30a7315e136adfcca55ce1593d6cf5d\r\nLegit,\r\nmodified\r\nexecutable\r\nmeant to\r\ntrick users.\r\nDrops a PE\r\nand DLL\r\ncontaining\r\nToneShell.\r\nAnnex 2 - IISS\r\nPRAGUE DEFENCE\r\nSUMMIT (8 – 10\r\nNovember 2024) -\r\nCopy.pdf\r\n901d713d4d12afbcee5e33603459ebc638afd6b4e2b13c72480c90313b796a66\r\nDecoy PDF\r\ndocument.\r\nSFFWallpaperCore.exe 057fd248e0219dd31e1044afb7bc77c5f30a7315e136adfcca55ce1593d6cf5d Dropped\r\nimmediately\r\nupon\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 13 of 14\n\nFile Name SHA-256 Hash Notes\r\nexecution of\r\nAnnex 1 -\r\nIISS\r\nPRAGUE\r\nDEFENCE\r\nSUMMIT\r\n(8 – 10\r\nNovember\r\n2024).pif\r\nlibemb.dll f8e130e5cbbc4fb85d1b41e1c5bb2d7a6d0511ff3b224eb3076a175e69909b0d\r\nDropped\r\nimmediately\r\nupon\r\nexecution of\r\nAnnex 1 -\r\nIISS\r\nPRAGUE\r\nDEFENCE\r\nSUMMIT\r\n(8 – 10\r\nNovember\r\n2024).pif\r\nSource: https://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nhttps://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit" ], "report_names": [ "toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "5abbd961-c51b-45e2-9632-e94e48a051b0", "created_at": "2026-01-22T02:00:03.673383Z", "updated_at": "2026-04-10T02:00:03.924422Z", "deleted_at": null, "main_name": "DragonBreath", "aliases": [ "Golden Eye Dog", "APT-Q-27," ], "source_name": "MISPGALAXY:DragonBreath", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434862, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7b2ef2c10ae018b5a9095f72147bc489922b96c.pdf", "text": "https://archive.orkl.eu/c7b2ef2c10ae018b5a9095f72147bc489922b96c.txt", "img": "https://archive.orkl.eu/c7b2ef2c10ae018b5a9095f72147bc489922b96c.jpg" } }