Cado Security Labs has uncovered a new malware campaign targeting the Royal Thai Police, attributed to the Chinese APT group Mustang Panda. The campaign utilizes seemingly legitimate documents with FBI-related content to deliver a shortcut file that ultimately leads to the execution of the Yokai backdoor.
The attack begins with a RAR archive containing a malicious LNK (shortcut) file and a disguised PDF file. The shortcut file executes the legitimate Windows FTP utility (ftp.exe) to process commands embedded within the disguised PDF file. These commands manipulate files and folders, ultimately executing a trojanized version of a PDF-XChange Driver Installer.
This trojanized executable employs advanced evasion techniques, including dynamic API call resolution and registry key manipulation for persistence. It establishes a connection with a command-and-control server and, notably, includes a geo-locking feature, specifically targeting victims in Thailand.
The campaign’s activity aligns with Mustang Panda’s tactics, techniques, and procedures (TTPs), including the use of decoy documents, shortcut files, and the targeting of government entities in Asia.
“The persistent targeting of Thailand by Chinese APT groups highlights the landscape of cyber espionage in Southeast Asia. As geopolitical tensions and economic competition intensify, Thailand remains a critical focal point for cyber operations aimed at intelligence gathering, political influence, and economic advantage,” the report concludes.
Related Posts:
- DLL Side-Loading Strikes Again: Yokai Backdoor Bypasses Security
- 55 Million Records: Thailand’s PII Massive Leak Unveiled
- North Korean hackers use Thai servers for stealing data from 17 countries
- Prince Ransomware Hits UK and US via Royal Mail Phishing Scam
