BleepingComputer reports that Chinese state-sponsored advanced persistent threat operation Mustang Panda, also known as Bronze President and TA416, has leveraged the new "MQsTTang" custom backdoor in an ongoing campaign that commenced in January.
Most attacks with the new MQsTTang backdoor, which were facilitated through spear-phishing emails, have been aimed at Ukrainian and Taiwanese government and political organizations, although other entities in Europe and Asia have also been targeted, an ESET report revealed. Researchers noted that MQsTTang, which is not based on previous malware in a potential bid to bypass detection, allows remote command execution on targeted machines, as well as leverages the MQTT protocol for communicating with the command-and-control server.
"This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group's other malware families," said ESET.
Mustang Panda's new campaign did not involve PubLoad, ToneShell, and ToneIns malware strains leveraged in an operation from March to October 2022.
Malicious GitHub pages and YouTube videos containing links for purported cracked office software, automated trading bots, and game cheats, have been leveraged to facilitate the download of self-extracting password-protected archives.
While threat actors continued to impersonate employers on job search platforms to lure software developers into participating in an online interview that would be followed by BeaverTail malware compromise, more recent attacks entailed the deployment of a new Qt-based BeaverTail version that enabled browser credential and cryptocurrency wallet data exfiltration.