Attacks spreading the PUBLOAD and Pubshell payloads have been deployed by Chinese advanced persistent threat operation Mustang Panda, also known as Hive0154, as part of a new cyberespionage campaign against Tibet discovered earlier this month, reports The Hacker News.
Mustang Panda distributed phishing emails with Tibet-themed lures that included a malicious archive with a document-spoofing executable, which launches the Claimloader DLL delivering the PUBLOAD loader that retrieves Pubshell, according to an analysis from IBM X-Force. Pubshell uses a reverse shell to enable immediate machine infiltration. Such findings come weeks after another IBM X-Force report detailed Hive0154 spear-phishing attacks against government, diplomatic, and military organizations in the U.S., Pakistan, Taiwan, and the Philippines between late 2024 and early 2025. "China-aligned groups like Hive0154 will continue to refine their large malware arsenal and retain a focus on East Asia-based organizations in the private and public sectors," said IBM X-Force researchers.
Mustang Panda distributed phishing emails with Tibet-themed lures that included a malicious archive with a document-spoofing executable, which launches the Claimloader DLL delivering the PUBLOAD loader that retrieves Pubshell, according to an analysis from IBM X-Force. Pubshell uses a reverse shell to enable immediate machine infiltration. Such findings come weeks after another IBM X-Force report detailed Hive0154 spear-phishing attacks against government, diplomatic, and military organizations in the U.S., Pakistan, Taiwan, and the Philippines between late 2024 and early 2025. "China-aligned groups like Hive0154 will continue to refine their large malware arsenal and retain a focus on East Asia-based organizations in the private and public sectors," said IBM X-Force researchers.
