{ "id": "9d397ded-055b-4c59-9473-098e80f00cdf", "created_at": "2026-04-06T00:08:28.171876Z", "updated_at": "2026-04-10T03:36:33.570632Z", "deleted_at": null, "sha1_hash": "df3419b829a5823c1ced56bcb5ba2251ba9af7de", "title": "Hitching a ride with Mustang Panda", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5302831, "plain_text": "Hitching a ride with Mustang Panda\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 15:35:49 UTC\r\nAvast discovered a distribution point where a malware toolset is hosted, but also serves as temporary storage for\r\nthe gigabytes of data being exfiltrated on a daily basis, including documents, recordings, and webmail dumps\r\nincluding scans of passports from Asian, American and European citizens and diplomats applying for Burmese\r\nvisas, from Burmese human rights activists and Burmese government institutions.\r\nWe recently came across a peculiar sample – a stager we believe is being used by Mustang Panda. The stager led\r\nus to the group’s distribution point, where we found malicious toolsets. We have analyzed the malware and were\r\nable to see relations between various campaigns that have been described by other cybersecurity firms over the\r\ncourse of the last years. Based on publicly published research and our own investigations, we can say with high\r\nconfidence that the modus operandi and the malicious toolset show a strong link to a group related to Mustang\r\nPanda, which has previously been reported as a Chinese APT group. The group has been known for gathering\r\nintelligence on Mongolia, and further Asian countries, and most recently was suspected of targeting European\r\nentities.\r\nThe distribution point, an FTP server, is also used as a transition point for exfiltrated victim data, before the data is\r\nmoved to an unknown location. We continue to observe new data being uploaded and moved from the point,\r\nmeaning the campaign is still active, and has been going on for some time. Gigabytes of data are moved around,\r\nand the amount of data indicates severe compromise of many high-profile targets in Myanmar. The data types\r\ninclude various office documents and PDFs, stolen browser profiles, webmail dumps and even sound recordings.\r\nBrowsing profiles were also extracted which can provide access to other infrastructures, services, and private data\r\nof the victims. Most of the stolen data seems to be in Burmese making it challenging to analyze. The sensitive data\r\nis mainly being collected from devices used by the Myanmar government, state administration, police, army,\r\nsignificant public organizations, or companies, and includes data related to diplomatic meetings, court hearings,\r\nmilitary information, contracts and more.\r\nDisclaimer: We have only seen partial snapshots of the exfiltrated data as they are deleted shortly after being\r\nmoved from the distribution point, so it should be noted that the information we have on victims may be inaccurate\r\nor incomplete. Most of the documents are in Burmese, therefore, a language barrier has also to be taken into\r\naccount. Finally, due to the limited scope and the sheer volume of the data, some assumptions had to be made\r\nduring the research process. We have reached out to local CERTs, informing them of our findings.\r\nVictimology\r\nNearly all of the victims have close ties to Myanmar and it seems that both the Burmese government and\r\nopposition groups are being targeted. We have seen data originating from various departments of several Burmese\r\nministries. Even the Office of the State Administrative Council has been targeted. The government breach is not\r\nisolated to Myanmar – we have also seen Myanmar embassies among targets, for example, the embassy in Serbia.\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 1 of 25\n\nThe data also contained dumps of a mailbox used to communicate in 2016 and 2017, as well as in 2020 with visa\r\napplicants from all around the world. These messages contained scans of passports from citizens and diplomats\r\nfrom various countries, such as China, Australia, Czech Republic, France, Israel, Netherlands, UK, and USA.\r\nAfter such an extensive list of targets, it ought to be little surprise that Myanmar Police Force is also among the\r\ntargets. Even some higher profile departments, such as the Office of the Information Police Chief or the\r\nDepartment of Special Investigation, seem to have been breached. Tatmadaw (Myanmar Armed Forces) is also not\r\nan exception – we have seen victims from the Bureau of Air Defense, Myanmar Army Engineering, and the\r\nUnited Wa State Army.\r\nPolitical NGOs and the government’s opposition are also on the list of victims. It is possible that the list is even\r\nmore extensive as we may not be able to find a straightforward association to said organizations as we would\r\nexpect more common usage of personal computers or computers that are not centrally maintained by an IT\r\ndepartment. We have seen data from devices belonging to the Karen National Union, Center for Diversity and\r\nNational Harmony, National Reconciliation and Peace Centre, Ethnic Nationalities Affairs Center, and even the\r\nUnion Civil Service Board.\r\nExfiltrated Data \r\nThe most common file types being exfiltrated by the group are Microsoft Office documents (.docx, .xlsx, .pptx,\r\netc.), PDF documents, and plain text files. Other file types exfiltrated include audiovisual data in various forms,\r\nincluding sound recordings (.mp3), and pictures (.jpg, .png, etc.) or drawings. Emails, including entire\r\nconversations are also exfiltrated.\r\nIt appears that the attackers are also looking for and collecting data from browser profiles from various web\r\nbrowsers, e.g. Chrome, Firefox, Opera, and more, a serious threat to victims’ privacy. The stolen browser profiles\r\ncan provide access to other infrastructures, services, and the victims’ private data of the victims. The attackers are\r\nextracting information about browsing history, stored credentials (personal and work), credit cards, used tokens,\r\nand valid cookie sessions. Consequently, poorly secured services, such as services without two-factor\r\nauthentication or without a safe cookie policy, can be easily abused by attackers. Attackers can steal the identity of\r\nvictims and can use their email, Facebook, Telegram, or other accounts to collect additional information about the\r\nvictim and their family, friends, and activities.\r\nHighly sensitive data is being collected from victims’ computers, and, in most cases, these are computers used by\r\nthe Myanmar government, state administration, police, army, significant public organizations, or companies. This\r\nin some cases included sensitive data and information belonging to international citizens and diplomats who have\r\ninteracted with targeted departments.\r\nThe documents, and audiovisual data being exfiltrated by the group is massive. The files include everything from:\r\nEmail dumps including visa applications and scans of passports belonging to citizens and diplomats from\r\nvarious countries, such as China, Australia, Czech Republic, France, Israel, Netherlands, UK, and USA\r\nA seating plan for the meeting between former US Ambassador to the United Nations Bill Richardson and\r\nMyanmar’s leader, Senior Gen. Min Aung Hlaing \r\nMyanmar’s constitution with proposed changes\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 2 of 25\n\nInvitations for diplomatic meetings, meeting programs, calls, and talking points\r\nReports, maps, and screenshots from the Signal messaging app related to the UWSA (United Wa State\r\nArmy)\r\nData from the Office of the Chief of Myanmar Air Defense Force, including meeting minutes, full\r\nstaff/rank lists, photo IDs (some with fingerprints), salaries, personal details of employees’ families\r\nPeace treaty documents\r\nInterrogation reports\r\nContracts\r\nCourt hearings\r\nTown plans\r\nContact information for police officers, including their names, addresses, telephone numbers, and salaries\r\nTranscripts of meetings around politics, and elections\r\nMeeting minutes and audio recordings of meetings between Myanmar senior officials (Prime minister,\r\nChairman of State Administrative Council) and the President of Tatarstan\r\nMilitary buildings drawings, including munitions storage, oil storage and aerial photos of proposed sites \r\nInternational banking records and records and transfers from supporters to a refugee group\r\nTies to known campaigns\r\nSince getting our hands on the distribution point, we have established links between known campaigns already\r\npublicly reported and what we have discovered. This gives us clues as to how resourceful the group may be and\r\nwill also help us assess its modus operandi.\r\nWe have found files strongly resembling (or even matching) samples and their relations described in a blogpost by\r\nESET around the Korplug variant dubbed Hodur. The campaign they described was targeting various government\r\norganizations in Mongolia, Vietnam, and Myanmar, along with politically-oriented NGOs. This is in alignment\r\nwith the victimology of the stolen data we have seen on the distribution point. Hodur was attributed to the\r\nMustang Panda group. The related part of the uncovered toolset we analyzed also contained a USB launcher\r\nwritten in Delphi, similar to the one seen accompanying the Hodur variant of Korplug analyzed by ESET. This\r\ninstaller is responsible for firing up the infection chain leading to a variant of Korplug RAT.\r\nSimilarly, we’ve found similarities to operations attributed to LuminousMoth both in structure and purpose. For\r\ninstance, we have seen a very similar structure as the one described in Bitdefender’s research on the\r\nLuminousMoth group. Namely, the usage of the same binaries for sideloading, same pattern for exfiltration –\r\nusing RAR for collection and a sideloaded library for exfiltration via Google Drive. Perhaps the most common\r\npattern was the usage of a USB launcher written in Delphi that was attributed to Mustang Panda, which was also\r\ndescribed in Bitdefender’s research.\r\nIn some cases, we have seen some unreliable links to older campaigns such as Operation NightScout, a rather old\r\nKMPlayer supply-chain attack, or Operation Harvest. Namely, binaries used for sideloading or names of\r\nencrypted payloads matched the ones used in these old campaigns. Nevertheless, the specific payloads differ\r\nsignificantly, so while some of these were attributed to Mustang Panda, the similarity could also be coincidental.\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 3 of 25\n\nThe storage we have discovered contains many archives with various tools to be downloaded by infected victims.\r\nWe will use names of these archives to impose basic structure on the data we have found. It is worth noting that\r\nthese names are partially consistent in successive versions. For instance, we have found an archive KKL which\r\nwas later on accompanied by another version with a slightly different configuration called KKL1.\r\nSome archives contained complete toolsets, whereas others only had single purpose tools in them that were meant\r\nto be used in connection with other tools; for instance, one contained a keylogger that obviously lacked any\r\nexfiltration functionality. This provides a strong indication that the tools are intended to be used modularly. We\r\nwill build upon that and first talk about the usual Mustang Panda theme – Korplug. Then we’ll get to the more\r\nspecific tools and end with the single purpose tools. Notably, nearly all the tools, aside from Korplug, its loaders,\r\nand Delphi installers, haven’t been described before. The RAT written in Go (JSX) or the  modular backdoor\r\n(US_2) deserve an extra mention due to their complexity \r\nFrom the data we have seen, we conjecture that the main exfiltration tools are variants of tools contained in\r\narchives named GDU, which use Google Drive for the exfiltration. Since we haven’t seen any exfiltration tool that\r\nuses the distribution point directly and the path on the server of exfiltrated files contains gd, we presume that the\r\nresponsible group uses some other tools to move files from various Google Drives to the distribution point we\r\nsaw.\r\nA brief look at the toolsets brings up another interesting fact: almost all the files show approximately (up to a few\r\ncases within seconds) a seven or eight hour offset between the compilation timestamp and the “last modified”\r\ntimestamp of the file itself. Since the compilation timestamp is usually in UTC and the archives use the local time\r\nfor the contents’ last modification date, this places us at UTC-8 and UTC-7. Therefore, we presume that the build\r\nsetup operated in a time resembling Pacific Standard Time (PST) and Pacific Daylight Time (PDT), used on the\r\nWest Coast of the United States. There are a few caveats – SE3 and SE4 contain files that were compiled on\r\nNovember 1, 2021 and still have an eight hour offset even though none of the countries using PST/PDT transitions\r\nto PST that early (both USA and Canada transition to PST a few days later).\r\nThere is also a file with an obviously spoofed compilation timestamp. HT3 contains a DLL Vender.dll whose\r\ncompilation timestamp dates more than a month after the last modification date. This further weakens hypotheses\r\nthat build upon timestamp offsets. Unfortunately, we have no further leads explaining this outlier. The latest\r\nversion of the uploader (multiUpload.exe), whose usage was spotted at the beginning of June, has a compilation\r\ntimestamp of January 3, 2020. This is also very likely spoofed as analyses of the previous versions of this tool\r\nshow clear evolution and, according to their respective timestamps, they were all compiled in April 2021. Not to\r\nmention that the corresponding infrastructure was only created at the end of May 2022.\r\nThe folder /pub/god, which contained the toolset archives, was removed on June 25, 2022. On the same day, a new\r\nfolder /pub/god1 was created with two files to which we didn’t have read access. Two days later, the new folder\r\nwas gone and /pub/god appeared again with a subset of the original tools.\r\nVariations on Korplug\r\nThe first group of tools that we’ll introduce are various versions of Korplug. The binaries used for side-loading\r\nwere already seen before. Even though the loaders were mostly new, they were rather uninteresting. A common\r\ntheme was a Delphi binary that served as a launcher to be executed from an infected USB drive. As we’ve already\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 4 of 25\n\nmentioned, a similar installer was previously seen in campaigns attributed to Mustang Panda. It just executes the\r\nKorplug loader from a folder named “Kaspersky” that is on the very same USB drive. See the diagram below\r\n(based on a toolset from an archive named BMD) for more details. \r\nNote the usage of the folder name “Kaspersky” and usage of “Symantec” in the names of the executables; since\r\nthe launcher relies on social engineering tricks, it depends on a common strategy using seemingly legitimate file\r\nnames to dispel any doubts concerning the content.\r\nContents of an archive called BMD. Archive YK41 follows the same structure, with ShellselDb.dat being replaced\r\nwith hp_ui.xslbcdsj and without the Delphi launcher.\r\nThere were also simpler infection chains, containing just a signed clean binary, a loader to be side-loaded, and an\r\nencrypted Korplug. These were contained in archives WD, 127C, and 1260M. The latter interestingly used the\r\nOleView.exe binary which then side-loaded the ACLUI.dll that decrypted and executed ACLUI.DLL.UI. The same\r\nsigned binary, which surprisingly also has the same name of the encrypted payload, was used in the KMPlayer\r\nsupply-chain attack in 2013. The accompanying research was only published in Chinese, likely due to the attack\r\nbeing limited to a few devices.\r\nExfiltration toolset\r\nThe exfiltrated data on the server in /pub/gd folder showed perfect correlation to the data produced by GDU\r\ntoolsets (GDU_OLD, GDU, GDU1, GDU2, GDU1_NEW, GDU3, GDUPIZ). These tools collect the files on the\r\nvictim’s disk, pack them into an archive whose name is prefixed with the victim’s ID and upload that archive onto\r\na Google Drive. We presume that the name GDU is an acronym for Google Drive Uploader. While the tools\r\nthemselves were technically rather simple, the exfiltration process and their evolution piqued our interest.\r\nThe analysis of the exfiltration process brought up several interesting observations. A few days after May 24,\r\n2022, the day we started systematically monitoring Google Drives used for the exfiltration, we started to see more\r\nfrequent token changes and new features being implemented. These features mitigated possible downtime caused\r\nby the migration to a new token. Since Google Drive has extensive logging functionality and the tokens have to be\r\npresent on the infected devices, it is only a reasonable expectation that access to these drives is monitored to some\r\nextent.\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 5 of 25\n\nOn the contrary, we have not seen such behavior with the distribution point. This could be attributed to the fact\r\nthat the distribution point is never exposed by the toolsets, which brings us to the assessment that the group\r\npresumes the distribution point to be secret or not worth monitoring.\r\nTimeline of GDU exfiltration toolsets\r\nVersion overview\r\nThe oldest version GDU uses RAR executable to collect the data and an encrypted rar.dat to store parameters for\r\nthe RAR binary. Starting from GDU_OLD, they migrated to their own collector piz.exe (this functionality was\r\nlater moved to a DLL to be side-loaded) and retained an encrypted rar.dat where they stored their configuration.\r\nThese toolsets also rely on two optional configuration files that are backed up by hard-coded values: token.dat\r\ncontaining an encrypted token for Google Drive and time.ini that contains last execution date along with the\r\nvictim’s ID. The setup and the choice of binaries for side-loading bears resemblance to the LuminousMoth\r\ncampaigns and tooling.\r\nAn archive GDU that contains a version relying on RAR instead of piz.exe for data collection.\r\nThe exfiltration process is usually handled by a variant of MyUpload.dll that is supplemented by the\r\naforementioned configuration files. Quite recently, a new version of GDU1 has appeared on the distribution point\r\n(which we’ll call GDU1_NEW)  which came with its successor multiUpload.exe. multiupload.exe eschews hard-coded tokens and makes the exfiltration process more resilient to disruptions.\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 6 of 25\n\nArchive GDU_OLD that uses its own collector piz.exe to collect potentially interesting files before the\r\nexfiltration.\r\nThe version we are calling GDU_OLD is basically the same as GDU1 and GDUPIZ, the most significant\r\ndifference being a different PE being used for side-loading. GDU1 and GDUPIZ rely on CefSub.exe and\r\nsubsequently on CefBrowser.dll instead of AtlTracetool.exe. GDUPIZ also uses a slightly different approach to\r\nexecute the file collection tool piz.exe – the version included in this folder is in fact a renamed clean binary\r\nspoololk.exe which in turn side-loads vntfxf32.dll. This malicious binary implements the file-collecting\r\nfunctionality formerly contained in piz.exe. GDU2 is basically the same as GDUPIZ.\r\nOn June 8, 2022, we saw a new GDU1 toolset on the distribution point. This time MyUpload.dll has been\r\nupgraded to provide redundancy in the exfiltration process. It no longer uses token.dat but rather uses a Github\r\nrepository as its source for the token. If this fails, there are two backups – one using HTTP PUT to\r\nwww.watercaltropinfo[.]com with Basic HTTP Authorization (123:123). The other sends the data via HTTPS\r\nPOST to m.watercaltropinfo[.]com. The collector is the same as in GDUPIZ. GDU3 uses basically the same\r\nprocess but uses different PE for side-loading (FwcMgmt.exe).\r\nTokens\r\nA special chapter is devoted to Google Account tokens that are used in these tools, partially because our research\r\nmay have forced the group’s hand to refresh the tokens once they discovered that we knew of their Google Drives.\r\nThe fact that after each token decommission, every client had to have the token updated and that GDU toolsets do\r\nnot have any remote update functionality suggests that these toolsets have to be accompanied by other tools that\r\nprovide this update functionality. We have noticed a longer delay between the decommissioning of the token from\r\nMay 29, 2022 and before a replacement token was being distributed. Its distribution coincides with the time a new\r\nversion of GDU1_NEW was released. It’s exactly this version that has introduced new functionality in the\r\nexfiltration tool, namely smoother token swapping and failsaves for cases when Google Drive exfiltration fails.\r\nTherefore, we presume that this delay was caused by the development of this new functionality.\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 7 of 25\n\nTemporal analysis of exfiltrated data\r\nWe can also have a look at the metadata of the exfiltrated archives. What is rather unsurprising are the upload\r\ntimes which closely coincide with Burmese business hours – a smaller peak in the morning and a huge peak in the\r\nafternoon. Note that Myanmar is in UTC+6:30 time zone and China, presumed land of origin of Mustang Panda,\r\nis in UTC+8.\r\nWhat is more interesting are events produced by the group itself – transfers from Google Drive onto the\r\ndistribution point and deletion of files from the distribution point. The huge peak is around 18:00 MM time which\r\ncoincides with the end of the work day in Myanmar. The spread of starts of upload windows is negligible, leading\r\nus to the presumption that the transfer is automated. We have seen a few archives being placed in the wrong\r\ndirectories which could indicate that the tooling is still under development or there’s still some manual work\r\ninvolved… Usually, the files have accumulated during the day on Google Drive and were transferred to the\r\ndistribution point in the evening MM time.\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 8 of 25\n\nAs we already mentioned in the introduction of uncovered tools, we have found quite a lot of files that were\r\n“missing” something. By that we mean that on their own, they were either lacking communication functionality or\r\nimplemented some techniques that were useless without being accompanied by another payload. Interestingly,\r\nwhile these were also using side-loading, they were not relying on external encrypted files, making their execution\r\nflow straightforward with 2-point graphs. For the sake of brevity, we will list these in a table:\r\nTemporal analysis of exfiltrated data\r\nArchive KKL contained a straightforward stealer in KBE.dll that was also hard-coded (in an encrypted form) in\r\nmscorsvc.dll from which it was unpacked after side-loading. The newer KKL1 was practically the same.\r\nThere are also a few standalone files such as x.ex in archive X which composes logs of registry entries (Run),\r\nservices, and scheduled tasks along with checking all signatures of executable files in %WINDIR%. Archive NB\r\ncontains nb.dat which is just the nbstat utility executable. There was also a coinminer in the archive INFO along\r\nwith its encrypted configuration file.\r\nAn interesting utility is DISK2 (and its variant DISKM); it is responsible for monitoring the system drive for any\r\nchanges. Both are accompanied by a configuration file that defines which files are of interest and where such files\r\nshould be copied to. It also notifies its C\u0026C server about these files via an encrypted message over HTTP. There is\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 9 of 25\n\nalso a version of this tool named MF20211228 that does not contain any configuration file and does not copy files\r\nanywhere, it just sends messages to the C\u0026C server.\r\nContents of an archive DISK2. This toolset is responsible for monitoring the system drive for any changes in files\r\ndefined by its configuration.\r\nOddballs in the collection\r\nJSX\r\nJSX archives (JSX86 and newer JSX861 for 32 bit version and JSX64 and newer JSX641 for 64 bit version)\r\ndeserve a separate mention as they use a rather uncommon setup; a JavaScript file is at the beginning of the chain\r\nand instead of side-loading, the respective DLL is launched as a service. mozload.dll is a RAT written in Go that\r\nuses HTTPS and websockets for its communication. Interestingly, the RAT uses TLS Client Authentication; see\r\nAppendix A.1 and Appendix A.2 for the private key and the certificate.\r\nThe execution flow of the packages from JSX archives.\r\nHT3\r\nHT3 simply does not fall into any of the previous categories – it is a backdoor with external configuration\r\naccompanied with a shellcode loader and UAC bypass.\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 10 of 25\n\nExecution flow of HT3. Note that it contains both 32 bit and 64 bit versions of an UAC bypass tool.\r\nSE\r\nNow we are finally getting to a more complex setup. These archives include several versions with very similar\r\nstructures and sometimes with varying payloads. Functional changes are presented below; note that these do not\r\ninclude changes in side-loading which will be discussed later on. All versions feature a few evasion tricks that use\r\nregistry tricks to hide files and file extensions.\r\nSE3 and therefore also SE4 and SSE (which are mostly the same) use vivaldi.exe and vivaldi_elf.dll for its evasion\r\nmodule. Also, FacialFeatureDemo.exe and facesdk.dll are replaced by Symantecs.exe and LDVPOCX.OCX; the\r\nlatter integrating persistence into itself instead of having it in a separate module. Interestingly, the USB installer\r\nhas been replaced with one similar to the one in the archive BMK; a Delphi launcher that executes Symantec.cmd\r\nwhich is actually Symantecs.exe. These versions are also the only ones that have renamed 3 of 4 payload bundles\r\n(using csdkset.dat for backdoor, EdrEpmpCStorages.dat for USB installer, and PchEpmpCStorages.dat with\r\nWTSAPI32.dll). Confusingly, WTSAPI32.dll does not seem to be used anywhere and will be used for side-loading\r\nby later versions when the USB installer replacement is roll-backed.\r\nSE6 and SE7 abuse old Avast’s proxy executable wsc_proxy.exe to side-load wsc.dll which serves as the\r\ndispatcher. Aside from this change, there are no other significant changes to the functionality.\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 11 of 25\n\nThe schema of contents and the control flow of SE1. In newer versions, the persistence module is integrated in the\r\ndispatcher.\r\nU5_2\r\nThe last complex toolset that we will present is from the archive U5_2. Most of the functional code is encrypted\r\nand bundled in AtiVir.csc. With the exception of a  chain to a removable drive watcher, all the parts share similar\r\nXOR keys: user_panda_%section_name%; a rather interesting choice if the toolset really belongs to Mustang\r\nPanda.\r\nAn interesting part of the toolset is a file install_.exe that reads a file from a given path, takes the serial number of\r\nthe volume where the file is located, computes MD5 hash from the serial number and changes the  first bytes of\r\nthe file to the hex-encoded computed hash value.\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 12 of 25\n\nThe schema of contents and the control flow of U5_2.\r\nServer infrastructure\r\nThe distribution point is an FTP server located in Malaysia that is accessible without a password (username\r\nanonymous, password is empty). We have also encountered a different FTP server in late 2020 containing very\r\nsimilar archives to the ones we now know contain exfiltrated data. Unfortunately, we did not have enough\r\ninformation to process the archives it contained. We presume that these two FTP servers were closely related or\r\nthat even the current FTP server may be successor of the one we found previously.\r\nWe have noticed that the FTP server has stopped responding in October. Fortunately, the server itself was still\r\nalive and the distribution has migrated to using HTTP instead of FTP. They also started using HTTP\r\nAuthorization; nevertheless, they have reused a weak username:password combination (123:123). This has caused\r\na downtime of a few days in our tracking, but with a quick fix, we’ve managed to get back on track. Presumably,\r\nthis might have been another attempt to foil our tracking attempts.\r\nOur telemetry data also revealed another server in Russia. A client from Myanmar tried to download an archive\r\nXYZ from it via HTTP. Upon further inspection, the archive was found to be identical to XYZ from the\r\naforementioned FTP server. We have tried to crawl the server for archives and files we have already seen on the\r\nFTP server and found the following toolsets:\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 13 of 25\n\nThe fact that the affected client is from Myanmar, and the fact that the server contains some parts of the described\r\ntoolset strongly indicates that it is part of the same campaign. Nevertheless, since at least one archive was\r\nrenamed, we were unable to fully enumerate its contents. Similarly, we were not able to verify whether the server\r\ncontains exfiltrated data.\r\nC\u0026C infrastructure\r\nJSX RAT\r\nThe JSX RAT attempts to communicate with 103.169.90[.]132 using TLS client authentication. The certificate\r\n(see Appendix A.2) is hard-coded and we can try to use it to confirm related infrastructure. Looking at the server\r\ncertificate data, we see that it imitates a real hosting company.\r\nCommon name: blue.net\r\nCity, country: San Francisco, CA, US\r\nFingerprint (sha1): e0adf667e287b0051988dda2b85e7541d7532703\r\nSelf-signed\r\nInterestingly, the C\u0026C’s certificate had the exact same subject as the client certificate. Searching for other servers\r\nthat use the same certificate yielded a couple more servers. Furthermore, we were able to confirm that the majority\r\nof these servers are running the same C\u0026C software because they accept the RAT’s hard-coded client certificate.\r\nA server at 118.31.166[.]5 seems to be an outlier among these servers with port 4433 being exposed. Since it is the\r\noldest one using the same certificate and the server exhibits the same communication traits on that port, we\r\nsuspect that it might be a development server.\r\nTwo of these servers were open to RDP connections with a certificate that had o9c[.]pg as its CN (Common\r\nname). We tried to go further using these certificates to uncover further candidates for C\u0026Cs. The timeline of\r\nuncovered servers is below:\r\nTimeline of servers using the discovered certificates. Blue ones use a certificate with blue[.]net CN, red ones use\r\no9c[.]pg as CN, purple ones have both. The highlighted line corresponds to JSX RAT C\u0026C.\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 14 of 25\n\nThese are servers using the same certificate:\r\nOverview on the servers with ties to JSX RAT C\u0026C.\r\nThese are RDP servers sharing the same certificate as the two C\u0026Cs with open RDP port:\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 15 of 25\n\nOther C\u0026C servers:\r\nConclusion\r\nIt is not very often we stumble upon such a stash of samples that is used to distribute malware to infected devices;\r\nespecially when we are talking about tools that are strongly correlated with a notorious APT group. We have\r\nshown links to multiple previously published research around campaigns both using tools and TTPs, providing us\r\nwith high confidence that the threat actor in question is Mustang Panda.\r\nThe exfiltrated data indicates that the toolsets that we have found were actively used around Myanmar. For\r\ninstance, we have found audio recordings that corresponded to the audio recording tools we have identified in the\r\narchive named AUD. Although many tools were simplistic in their nature and sometimes also in chosen\r\nobfuscation methods, some archives contained tools which seem to deserve further analysis; be it due to their\r\ncomplexity or technical implementation.\r\nWhat was really surprising was the sheer scale of the compromitation. We have identified many high-profile\r\ngovernment targets, some opposition entities along with a few NGOs. It is worth noting that given the sheer\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 16 of 25\n\nvolume of data and the language barrier, we have only been able to associate some of the victims with a specific\r\norganization. This means that the list of targets is likely incomplete and should be considered as approximate.\r\nNevertheless, the daily rate of gigabytes of exfiltrated data should be enough to give a strong hint on the scale of\r\nthe operation.\r\nAppendix\r\nC\u0026Cs\r\nCertificates and keys\r\nA.1 JSX private key\r\n-----BEGIN EC PRIVATE KEY-----\r\nMHcCAQEEIPq1gFM9BHY6lKw+F09iQ4rY5ZDpZhpVuLbLEgKpN1EFoAoGCCqGSM49\r\nAwEHoUQDQgAE8ReYJNz1RlchdTIxo0/4GqPVsJ2m6QFMW0vVMLKYWeINX4Ih9vPV\r\nOgzHq6+qeNxzvAbS4D9jTETTMKssSssr0Q==\r\n-----END EC PRIVATE KEY-----\r\nA.1 JSX certificate\r\n-----BEGIN CERTIFICATE-----\r\nMIICBDCCAamgAwIBAgIUPAoKZshUkyHcTvej+gio/kTTd/AwCgYIKoZIzj0EAwIw\r\nRTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\r\nc2NvMREwDwYDVQQDEwhibHVlLm5ldDAeFw0yMTEwMTIwMzQ0MDBaFw0zMTEwMTAw\r\nMzQ0MDBaMEUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2Fu\r\nIEZyYW5jaXNjbzERMA8GA1UEAxMIYmx1ZS5uZXQwWTATBgcqhkjOPQIBBggqhkjO\r\nPQMBBwNCAATxF5gk3PVGVyF1MjGjT/gao9WwnabpAUxbS9UwsphZ4g1fgiH289U6\r\nDMerr6p43HO8BtLgP2NMRNMwqyxKyyvRo3cwdTAOBgNVHQ8BAf8EBAMCBaAwEwYD\r\nVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULCt+JQ1h\r\nn+CNR27Lm0giuJbAHGAwIQYDVR0RBBowGIIIYmx1ZS5uZXSCDHd3dy5ibHVlLm5l\r\ndDAKBggqhkjOPQQDAgNJADBGAiEA9c8UxcF/xYGVThbl3vfKpmJQKQLi8LP+2cui\r\no9Z3iZICIQCxJOXs+4ScVpyIkw8HYCCv3x0CDVv4xfiGHEEW+ZLZYA==\r\n-----END CERTIFICATE-----\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 17 of 25\n\nSide-loads\r\nFile hashes\r\n\\1260M\r\n1ded7b4cab302bc7229c92723056d07d5bd9563e88fe082da0a396942fba5958 breaklog.dat (Korplug)\r\n2895fdac192a4b0ffd70b6b207d49cd7c8f68945eb5c09e3d51e2fded6c6c32f breakpad.dll (Loader)\r\nce13248fa2da5b27773f855c2dd0c6ce276b4a10b020e4da57bc47ab0fe07eae upservice.exe\r\n\\127C\r\n1769c7778cbcd937ae317f4982f404b0d7ae7ee5e2b2af4efb160c5233a8f476 ACLUI.dll (Korplug)\r\n8ff84f79455b84bd73e7c0641532a60e8132599c29d3f85fb54f3d7da53e1817 ACLUI.DLL.UI (Loader)\r\n91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520 OleView.Exe\r\n\\AUD\r\ncd6bcf240de87fe3f1b5a6a24db1b2728acad5f7bcfe124e5bc2d7bdac2f64a9 mcaltlib.dll (Audio recording)\r\n075f9dfb6ab3379f69165c03991abf1a969ca0c21e04564543564dc536ea95dd mcsync.ex\r\n\\BMD\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 18 of 25\n\n55eacabb7c054355d2e8c3a82c075338c9ac642d86ee5d3fa1fca3f621e43cb2 SHELLSEL.ocx (Loader)\r\nd139940023fa2c602e2a31faa807b9df074f34747511bd61db961d20155b8c84 ShellselDb.dat (Korplug)\r\n61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantec.exe\r\n491d9f6f4e754a430a29ac6842ee12c43615e33b0e720c61e3f06636559813f7 SymantecHp.exe (Launcher)\r\n\\CHR\r\ne3e2164c54a5c8ab063695bc41b6c0c0ddc390c790de8ad24d6169dba46f7734 22.1.1.1543.manifest\r\n4063cf4ba2d4e12c277479399d4489e45a48b1013d8d54b5a589784fe7158978 browser_elf.dll (cookie dumping)\r\n12b15f31f295416417f1e028904a4e10a0c8ec39dd00bac7df4887c194f2865b browser.ex\r\n\\DISK2\r\n8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HPCustParticUI.exe (Sideload)\r\n7ea21215968c43f9fe28f94926e3547f2f7a0e35cdf40392b0b6aea80fe11314 HPCustPartUI.dll (Stealer)\r\nc9121c7874d2fd88ff7af35eb3f3cd18ab7162390db008043037383cdad6ff56 HPCustPartUI.log (Ecnrypted stealer\r\nconfig)\r\n86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR120.dll\r\n\\DISKM\r\n8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HPCustParticUI.exe (Sideload)\r\n788fe764f6f5e0fff31b06fd8b94ee0cf51a3082c1321d8db96708c2a6abc3ee HPCustPartUI.dll (Stealer)\r\n62d770f240cecebd6cf725df05ab1e863d83895abc9396664a6090dbcc983d6f HPCustPartUI.log (Ecnrypted stealer\r\nconfig)\r\n86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR120.dll\r\n\\GDU\r\nd12a1750980ef3943c6d7e152948059261944b8afe06b8a280b7fbe61aba3c9b rar.dat (Config)\r\ne64b533d60a21ca8ddbfcf8a1b154ed351383b0196d534bf229101a6cc4d1931 rar330.exe (RAR)\r\ndef8fdb95bb53514698b9df1c64e329adfca59adf2e898c3daab16f1e4760bc6 RarCon.SFX (Exfiltrator)\r\n4f54a6555a7a3bec84e8193d2ff9ae75eb7f06110505e78337fa2f515790a562 Samvd.exe\r\n375e88d1f38604c901f2b9fd5b9ada4c44c1f4c172f7cd58cd67e9248ff966ab SmadHook32c.dll (Loader)\r\n\\GDU-OLD\r\n197d0ad8e3f6591e4493daaee9e52e53ecf192e32f9d167c67f2ffb408c76f2c AtlTraceTool8.exe\r\n33f631c0b561199b5feb9020faa99e50efa9f421d7484ffa640c5561494726da mfc110u.dll\r\n45a61f4b7e5798f1389a7d6abc8a924c37db6f51552b4cafc901e7e4a50dabc6 msvcr110.dll\r\ndb75b25b69b7b6f3206226461d8bde7c05049922dc463e8932d11710fad74833 piz.exe (Collector)\r\n46811fc41623677637aaadcfbe89811d187b390bfd7e4f3e8efd2dd1d078a631 rar.dat (config)\r\n0dcaf08b7b1f8de3999af567144b13f36bea3a68f46f81f8443a81a50a86a09c atltracetoolui.dll (Loader)\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 19 of 25\n\n\\GDU1\r\n2c17b68040dda192939e4b7f65b2935cb6c467b8a4b2c3d512bde6cc5a60adaf cache (Exfiltrator)\r\ne412569c23722c469ee533efb62bbded53d1909b58c8cf7bff9897c466c9df9a CefBrowser.dll (Loader)\r\ncb8a83b590893daa9b02b8e1a1c9afb68d6f2a82c9e0d2d2c63a36a510f6fda3 CefSub.exe\r\nbeb44eadd141b7ae46e40e1bf888c302cb7096826e772f0b20ce6f213c69058d piz.exe (Collector)\r\n46811fc41623677637aaadcfbe89811d187b390bfd7e4f3e8efd2dd1d078a631 rar.dat (config)\r\n\\GDU2\r\n2c17b68040dda192939e4b7f65b2935cb6c467b8a4b2c3d512bde6cc5a60adaf cache (Exfiltrator)\r\ne412569c23722c469ee533efb62bbded53d1909b58c8cf7bff9897c466c9df9a CefBrowser.dll (Loader)\r\ncb8a83b590893daa9b02b8e1a1c9afb68d6f2a82c9e0d2d2c63a36a510f6fda3 CefSub.exe\r\n390d75e6c7fc1cf258145dc712c1fac1eb183efccee1b03c058cec1d790e46b1 piz.exe (Collector)\r\n46811fc41623677637aaadcfbe89811d187b390bfd7e4f3e8efd2dd1d078a631 rar.dat (config)\r\n869b8dd87e402049eae435de3de1e15a021d9fcbf79a20be3b030d3782599903 vntfxf32.dll\r\n\\HT3\r\n59cf961f7316656e73b269a86b04836a7a7254f021a8a3132a927b02373225d6 AUG.json (Encrypted and compressed\r\ndata)\r\n091408cdd56267bc4fb4cb54f2d91701aa8cdcede334a648566eea89f1682925 Vender.dll (Loader)\r\n00bfbbe6e9d0c54312de906be79cc1e9f18b2957856a1215eaff1ac7bb20e66f x.exe\r\n\\JSX64\r\nc617016fb8809655f9189648b9b41a727c0b49cdb79a28f13f710d23f3527a64 install.js (Executer)\r\n21bf4631775b6c17f9e94c0901ffbb7718a0e6094582bcb1683b934aca24e18f mozload.dll (RAT)\r\nf4a31d15cd5aa3441e5e31c1add6e0c3551a1aad5abb75f0abd76990f2824acc scx.exe (Installer)\r\n645ee3601aea4c1af8b938f64698bf6c5978b1151aef53e183bb768791c927e2 svchost.dll\r\n\\JSX641\r\n73903c2c46b5055380fc2a238c96f7f2ca2a5acf1cd1e568b2d2be0638c68fd1 install.js (Executer)\r\n50bee35c965a99b3f8f722296e4ed6474ca62d96ea5fc4897e7d1563ed173d5e mozload.dll (RAT)\r\ne27bfbe87c78945b1d79fc027c3f0a27a07d0dddc742783bf686c1a8133a2f48 scx.exe (Installer)\r\n8cebfe33cd69747cc1333fe598d9b0331103e0869d6f1b1f75e28b3b8f11243d svchost.dll\r\n\\JSX86\r\nc617016fb8809655f9189648b9b41a727c0b49cdb79a28f13f710d23f3527a64 install.js (Executer)\r\nfd1ec183124d2d82dae1dd228de88440bc142cf6430c9c93518e25f1dde052fd mozload.dll (RAT)\r\n9e3788cacb3d38e4e15da7e4887650efa6a3b17a65a314fcb4e059d9f88481a8 scx.exe (Installer)\r\n5e8311c26091839a292e2d12f88378f8093fc739ced86aa1e9ba1b707ad516d8 svchost.dll\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 20 of 25\n\n\\JSX861\r\n73903c2c46b5055380fc2a238c96f7f2ca2a5acf1cd1e568b2d2be0638c68fd1 install.js (Executer)\r\nf9d94c1dcdbcefddb4f1d47291422c6198fd11052aea761acf8b5755802ca922 mozload.dll (RAT)\r\n49a81878ec282c3c9d4dd72920d9283e2c86d0bb96b468e010901b3f4f9c75ed scx.exe (Installer)\r\n79440abf29d1b56cb1c95a12f554fe052e21a865fea56a025e216f342ffbccbd svchost.dll\r\n\\KKL\r\nfae5b61723106d44de46b3ec49e80067f63f82f09501142186984a658bc99c38 KBE.dll (Clipboard stealer,\r\nkeylogger)\r\ned6b3af0edcd3b57c0616e1b7819b5e1c1e72327300172ff2664b158f65861b2 mscorsvc.dll (Loader)\r\n0809e3b71709f1343086eeb6c820543c1a7119e74eef8ac1aee1f81093abec66 mscorsvw.exe\r\n\\KKL1\r\n4afa4582975d31144b3af692f123f87b6400a45475e41fa1822c7acdb17590f0 KBE.dll (Clipboard stealer,\r\nkeylogger)\r\n9af8336050c40105864bf9314355471494dc631fd88a0b444291b63b941b7822 mscorsvc.dll (Loader)\r\n0809e3b71709f1343086eeb6c820543c1a7119e74eef8ac1aee1f81093abec66 mscorsvw.ex\r\n\\MF20211228\r\n8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HPCustParticUI.exe\r\n9f1d1a94026c54396a4c0b6327d317836dc9dc67178810428302efcbf5225a42 HPCustPartUI.dll (Stealer)\r\n86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR120.dll\r\n\\MG\r\n473b4f8b8640a68d1092f6b54b521c6b0ccb1c567eca4a18a2c2da3481bc027a dabs.ex\r\ncfe1447e7515ad831fcfedb9a5c1a721885b0542b775e4028a277a27e724ec73 SensorAware.dll (Figerpring, remote-shell)\r\n\\MG44\r\n473b4f8b8640a68d1092f6b54b521c6b0ccb1c567eca4a18a2c2da3481bc027a 44.ex\r\ncfe1447e7515ad831fcfedb9a5c1a721885b0542b775e4028a277a27e724ec73 SensorAware.dll (Figerpring, remote-shell)\r\n\\NB\r\nc9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e nb.dat (Nbtscan)\r\n\\SE1\\Bin\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 21 of 25\n\n8364bae4e2951957403cbe3a78362edb7d41c34f49c81f0336fcb28d1510d5e1 facesdk.dll (Dispatcher)\r\n0d243cbcd1c3654ca318d2d6d08f4e9d293fc85a68d751a52c23b04314c67b99 FacialFeatureDemo.exe\r\ne5bbbf34414426f63e6cd1354c306405e54bf31279829c7542dccfb7d85af0ec GUP.exe\r\n92717951aae89e960b142cef3d273f104051896a3d527a78ca4a88c22b5216a5 gup.xml\r\n7e1c49d45935fb5d20add5baf60400fb64fbf0299a3af3b0be764b2d265e368a libcurl.dll (hides malware files)\r\n390d75e6c7fc1cf258145dc712c1fac1eb183efccee1b03c058cec1d790e46b1 spoololk.exe\r\nabf7bb6eb92f2f358e8e57c1be03efe5a7f81e3d3eb4134257c3483e9e7782c0 VNTFXF32.dll (persistence)\r\n\\SE1\\Data\r\n1a4e92e09957578cc8d8c1fbdaba55e306e7bcbc6208ee00e33bb37e849156f9 aweu23jj46jm7dc\r\n13cf1c57f1c143c592173b1e91ddb652d5dd1c2015289ac890a37253058b54be bjca3a0e2sfbs\r\n12acd296a009d9e8fbd9511d3c0586f331d450b9c12f651e0554764e50cfb7e7 sf24acvywsake\r\n4a6ed717a2d7f0953e4b25c2652c9a231146f60b35d9a5e3cf782c772727b1bc sf33kasliaeae\r\n\\SE3\\Bin\r\n61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantecs.exe\r\na8f3bc45ac0dcf351c028ecabfd68e8e551cd97f8dc0fc6e62e135668cde9277 LDVPOCX.OCX (Dispatcher)\r\nbb6cf240bdabeea90321cab7d48e268df2b5240d84aab0d5ae5ffe415a6943e4 vivaldi_elf.dll (hides malware\r\nfiles)\r\n58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe\r\n\\SE3\\Data\r\n51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest\r\n6ded96d7609cc085db57764c40a38379cba50b965f959650ca8d1605ae0411e8 csdkset.dat\r\na8f0dff3c57621282a1262ddaa559f055f2f2cc717a7695d8bfbf7a6898b843c EdrEpmpCStorages.dat\r\n7659be61fc1e16c4721b451225ec7c8f932e9e7357894ddea3a4ada9583996b5 PchEpmpCStorages.dat\r\n9015378ed6d7537f07e61c78b3c35766d63465970b63d13c9b447dc8bb90e2d7 prodcltdef.dat\r\n\\SE4\\Bin\r\n61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantecs.exe\r\n01cd1530b0db54c834ef275e0cc617645a23e1f250bc35c248d546c28da220fb vivaldi_elf.dll (hides malware\r\nfiles)\r\n9fb4c9f1995b02ece99b62a4efc0df5c916a1858f57730225f3c419fce0de24c LDVPOCX.OCX (Dispatcher)\r\n58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe\r\n\\SE4\\Data\r\n51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest\r\n01cd1530b0db54c834ef275e0cc617645a23e1f250bc35c248d546c28da220fb csdkset.dat\r\nbaaaffe80060fb89b06ff19dfb6c76835fc6639d81513e2d9e49716f1816ccc4 EdrEpmpCStorages.dat\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 22 of 25\n\n9fb4c9f1995b02ece99b62a4efc0df5c916a1858f57730225f3c419fce0de24c LDVPOCX.OCX\r\nf488e4e838fa447c9b08fc74d4180faeb465f9070c443625b7515aed7c282fa6 PchEpmpCStorages.dat\r\nab89d614923b92ce2eb7ed48357b2d1755b8a8f572ead3b32bb63a79e259186d prodcltdef.dat\r\n\\SE5\\Bin\r\n5828fd07716140e5fefec1b07751378d9b76952e66b2c0fb0a860313d4030b4d LDVPOCX.OCX (Dispatcher)\r\n61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantecsy.exe\r\nbb6cf240bdabeea90321cab7d48e268df2b5240d84aab0d5ae5ffe415a6943e4 vivaldi_elf.dll (hides malware\r\nfiles)\r\n58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe\r\n\\SE5\\Data\r\ne6fdd0d22abe3484d57715bd83143e5810b74f3f9dc8780344c66af2c0894d76 aweu23jj46jm7dc\r\n50814a35a9d157405252c8ba52c12d1cf5adf137598173c6522cbe058e14b7ff bjca3a0e2sfbs\r\n1d68f4afd0fd908d35db6d9710ab2fc92fb5ca739d6351e1bf513e068fbd00a0 sf24acvywsake\r\n5427cd51f0120a27ed75d3ac27d6f8eac6f27c54d8658236a52a281d6433496b sf33kasliaeae\r\n\\SE6\\Bin\r\na67094334ae2135e50bf2074f08d3a99075a53a174da6bdf22eca54293bb8e9b vivaldi_elf.dll (hides malware\r\nfiles)\r\n58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe\r\nbd4635d582413f84ac83adbb4b449b18bac4fc87ca000d0c7be84ad0f9caf68e wsc_proxy.exe\r\ne0c240f5776d158da7529d8c0e3d5be4d6f007e51e4be570e05b744d0452011d wsc.dll (Dispatcher)\r\n\\SE6\\Data\r\n51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest\r\n7620acb11f0471515079a69ee2cec0cd74485fb13c779d41c2b43b87718c63ff aweu23jj46jm7dc\r\n3fc3fb81a43b9ac155e42367769eb5c0d6dd08c06a025ba93697c6b2667bf1e7 bjca3a0e2sfbs\r\nf2c5004450a749bef14ee779e1c8e4c08702f089248d0a282e6a679d29b0996d sf24acvywsake\r\n10d58013b8a34e10e8548b016154963097dcff15e5673bf24e8ed18513ad4a64 sf33kasliaeae\r\n\\SE7\\Bin\r\ne5bbbf34414426f63e6cd1354c306405e54bf31279829c7542dccfb7d85af0ec GUP.exe\r\n92717951aae89e960b142cef3d273f104051896a3d527a78ca4a88c22b5216a5 gup.xml\r\n7e1c49d45935fb5d20add5baf60400fb64fbf0299a3af3b0be764b2d265e368a libcurl.dll (hides malware files)\r\nbd4635d582413f84ac83adbb4b449b18bac4fc87ca000d0c7be84ad0f9caf68e wsc_proxy.exe\r\ne4ddf5af63fdfe85c5a4573d4768699ebdaa5b5b67b7cb6834840c696808a8e5 wsc.dll (Dispatcher)\r\n\\SE7\\Data\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 23 of 25\n\nb7a38292131c131d75413133f101114a1b72bd02e27cc6aea7a836ff964f961f sf24acvywsake\r\n28aadf5b14ba0cb38a33ab53796dba12e7d59479744f0cca225b10be44730b9c sf33kasliaeae\r\nec56a6fa6804e47f331daee1460c3d07e01fe45edac5d6b1feb01fbbd8396f91 aweu23jj46jm7dc\r\ne32447bd309a6941a1fff4fa559376d9c723afd1b9ce2a1c2dced4b9db6a6f6a bjca3a0e2sfbs\r\n\\SSE\r\n51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest\r\n5dafacfa147f087dd0a706cf274e20cbb58f634ba14424d3433efc2e829aa7cd csdkset.dat\r\nb9924c66506ccad566d6c26b8db499e498a9dc840acacb2d8d3bf9d73818814a EdrEpmpCStorages.dat\r\n180a2f3eb004f93590e4fb18cdc3dd6e18815587637ac354ca99f7513aa63633 LDVPOCX.OCX (Dispatcher)\r\n9add5663bc846b4b7cdefcd0e09b882e2f16f755e2e6540efc6ea2072c93f3f2 PchEpmpCStorages.dat\r\n756d1cb0e74b309d53d4f16b043514da128c8b3b89c7d5e46897b61f74bad2d7 prodcltdef.dat\r\n61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantec.exe\r\nbb6cf240bdabeea90321cab7d48e268df2b5240d84aab0d5ae5ffe415a6943e4 vivaldi_elf.dll (hides malware\r\nfiles)\r\n58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe\r\n\\T3YK\r\n3c0d3783a5ccdecf3786db0053b1352d6fb5a37d9081cc32ec6d5bb611064ce3 coreclr.dll (remote shell)\r\nf11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe ygfdt.exe\r\n\\U5_2\r\n2a971ba79f9f7378e11a47dcafa78e9fe4b1f0c659f7f310209d3e6671d5dc31 Ativir.csc (bundled payloads)\r\n9cd8c5d34fd460dd0e240f5e54ade689d808469d6da5e0bd087cc71e6f851c6a core.exe (executes path from\r\nconfig)\r\ncaeb48fd04a5fe8b0b4bd32b538ed5f1f303b0487037cf37864f0b5665ff093a install_.exe\r\n2f2a5e5cdb262cd62b43b88bf1e9cfb40a26eac5897616b9eacec4e25d95cbb9 PlugInInstallerUtility2.exe\r\na90e048c74697775bba2e4c4bfa45d369e44e9a020a83956aa44a50ab8a9a249 PlugInInstallLib.dll\r\n\\UC\r\nf349183462f1aeac8d3afb43c723af0252c157d376637f30fb7c87fdf80ee965 libmlt-6.dll (UAC bypass)\r\na23dbce5bcde8ce541b8f326a951d29f6241280d944a1e921ca8658d3d4b65ac melt_64.exe\r\n\\WD\r\n8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HP\r\n97efd0abf726acfc1a5b4a0b460a727724f43ef9f1e788bada4942d715d4ab87 HPD (Loader)\r\n86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR1\r\n5f31d558417528b4c635afd6c17347dc393c7dfcecfb79040fe97d9f1abf3776 S (korplug)\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 24 of 25\n\n\\X\r\n28bed0d5bcfb2d5597af881a2be3098327f2d83f14948c6a46cde3cd0776eb1c x.ex (status checker)\r\n\\YK41\r\nedab53d39734965a7cadc2a21662d6a16c9b04b2961dfe9eb76aeda040786e25 hp_ui.xslbcdsj (encrypted Korplug)\r\n071558464f6d067f3044b7ee3819fcb3a049b8be3535043db41123c2fde5d451 SHELLSEL.ocx (Loader)\r\n61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantec.exe\r\n\\YK51LOW\r\ncb8a83b590893daa9b02b8e1a1c9afb68d6f2a82c9e0d2d2c63a36a510f6fda3 atkexComSvcRes.exe\r\n9bdccd5e4617dfbcaf85228c60703369a8848ad8bb86e00e75e504a26fbe932a CefBrowser.dll\r\nb29b38217921a6b36113049bd9cb4fb2ec52816bff7cd731621ff2fa3dbc7b01 DP45126C.lfl (Decryptor)\r\n90a29c688ce683fb2201145faac00cb44c3d5566697279b68960c6bc3208ae84 GoogleUpdate.exe\r\nfa56ba25861f1b5040afd04bfbfd36353004cd6b2c457971fb01db26ff002f35 GoogleUpdateOnDemand.exe\r\nc9ed69e7bf233ba1edd18a1f91671faee9b7756aa77fe517319098706e78cde5 SbieDll.dll (Loader)\r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmes\r\ne-government-agencies-and-opposition-groups/\r\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/" ], "report_names": [ "apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups" ], "threat_actors": [ { "id": "7c00086d-9535-4552-8201-1dd725e41b12", "created_at": "2023-04-26T02:03:03.128736Z", "updated_at": "2026-04-10T02:00:05.239152Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [ "LuminousMoth" ], "source_name": "MITRE:LuminousMoth", "tools": [ "PlugX", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "068b67c8-604c-4272-b808-350413fa9ee3", "created_at": "2022-10-25T16:07:23.975708Z", "updated_at": "2026-04-10T02:00:04.816253Z", "deleted_at": null, "main_name": "Operation NightScout", "aliases": [], "source_name": "ETDA:Operation NightScout", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "92049df8-7902-48e8-ad17-97398b923698", "created_at": "2022-10-25T16:07:23.81315Z", "updated_at": "2026-04-10T02:00:04.757082Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [], "source_name": "ETDA:LuminousMoth", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "46b409af-b2ea-43b8-9223-e01d982e00ce", "created_at": "2022-10-25T16:07:23.966265Z", "updated_at": "2026-04-10T02:00:04.810937Z", "deleted_at": null, "main_name": "Operation Harvest", "aliases": [], "source_name": "ETDA:Operation Harvest", "tools": [ "Agent.dhwf", "BadPotato", "BleDoor", "Destroy RAT", "DestroyRAT", "Impacket", "Kaba", "Korplug", "Mimikatz", "NBTscan", "PlugX", "ProcDump", "PsExec", "RbDoor", "RedDelta", "RibDoor", "RottenPotato", "SMBExec", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WinRAR", "Winnti", "Xamtrav", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434108, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df3419b829a5823c1ced56bcb5ba2251ba9af7de.pdf", "text": "https://archive.orkl.eu/df3419b829a5823c1ced56bcb5ba2251ba9af7de.txt", "img": "https://archive.orkl.eu/df3419b829a5823c1ced56bcb5ba2251ba9af7de.jpg" } }