Researchers have identified recent Mustang Panda activity that involves the use of DLL side-loading to deliver PlugX. A new korplug variant has been discovered by researchers named “Hodur.” The variant is being spread by Mustang Panda. Mustang Panda has been taking advantage of the recent Russian Ukrainian geopolitical situation for phishing lures. The campaign has been ongoing since at least August 2021. ISPs, research entities, and European diplomats are targeted by the threat actors. Anti-analysis techniques are used in every stage of the deployment. Control flow obfuscation is also utilized at every stage. The filename used by the threat actors recently is “Situation at the EU borders with Ukraine.exe.” Mustang Panda targets East and Southeast Asian countries.
“Mustang Panda’s campaigns frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and Korplug (also known as PlugX).” – Researchers.