Full Report
A China-linked threat actor known as Mustang Panda has been attributed to a new cyber espionage campaign directed against the Tibetan community. The spear-phishing attacks leveraged topics related to Tibet, such as the 9th World Parliamentarians' Convention on Tibet (WPCT), China's education policy in the Tibet Autonomous Region (TAR), and a recently published book by the 14th Dalai Lama,
Analysis Summary
# Threat Actor: Mustang Panda (Hive0154)
## Attribution & Identity
**Attribution:** China-linked threat actor.
**Known Aliases/Associations:** IBM X-Force tracks the actor under the name **Hive0154**. Trend Micro and Team T5 have also analyzed components used by this group. Nomenclature differences exist for the stagers/downloaders (e.g., Claimloader, NoFive).
## Activity Summary
Mustang Panda is currently engaged in a cyber espionage campaign specifically targeting the **Tibetan community**. This operation involved spear-phishing attacks utilizing Tibet-themed lures related to political events (9th World Parliamentarians' Convention on Tibet - WPCT) and political figures (14th Dalai Lama's book). The group also conducted activity observed from late 2024 to early 2025, attributed to a Hive0154 sub-cluster, which targeted government, military, and diplomatic entities in the United States, Philippines, Pakistan, and Taiwan using similar spear-phishing methods.
## Tactics, Techniques & Procedures
- **Spear-phishing:** Delivery of malicious payloads via spear-phishing emails.
- **Weaponized Archives:** Attacks use malicious archives (ZIP or RAR) containing seemingly benign files (Microsoft Word documents, website content, photos) alongside an executable disguised as a document.
- **DLL Side-loading:** Used to launch a malicious DLL, identified by IBM X-Force as **Claimloader**.
- **Payload Deployment Chain:** Claimloader is used to deploy the first-stage downloader, **PUBLOAD**, which fetches the next-stage payload, **Pubshell** (a reverse shell backdoor).
- **Lures:** Exploited topical interest in Tibet (e.g., WPCT and China's education policy in TAR).
- **Command & Control:** Pubshell facilitates immediate access via a reverse shell.
- **Component Similarity:** The reverse shell implementation in **Pubshell** is noted as being almost identical to the malware **TONESHELL**.
- **Delivery Mechanism:** In recent campaigns (US, Philippines, etc.), weaponized archives were downloaded via links to **Google Drive URLs** embedded in emails.
## Targeting
- **Sectors:** Government, military, and diplomatic entities (in recent broader cluster activity). Activist groups or individuals associated with the Tibetan community (in the specific recent campaign).
- **Geography:** Specific campaign targeted the **Tibetan community**. Broader cluster activity targeted the **United States, Philippines, Pakistan, and Taiwan**.
- **Victims:** Not explicitly named, but targets are within government, military, and diplomatic sectors, and the Tibetan community.
## Tools & Infrastructure
- **Malware Families Used:**
- **PUBLOAD:** First-stage downloader malware.
- **Pubshell:** Next-stage, lightweight backdoor providing a reverse shell.
- **Claimloader:** Custom stager malware (Cisco Talos documented) used to deploy PUBLOAD.
- **TONESHELL:** Older or alternative malware used by the actor, functioning similarly to Pubshell.
- **Infrastructure:**
- Contacting a remote server for payload fetching (C2 details not specified).
- Use of **Google Drive URLs** for initial file distribution.
## Implications
Mustang Panda remains an active and persistent cyber espionage actor focused on politically sensitive regions and targets significant to Chinese strategic interests (e.g., Tibet, Taiwan). The successful use of customized, multi-stage malware like PUBLOAD/Pubshell, combined with geographically and politically relevant spear-phishing lures, indicates a sophisticated, evolving capability focused on intelligence gathering against specific communities and state entities.
## Mitigations
- Enhance filtering and inspection of emails originating from unknown sources, especially those containing links to cloud storage services (like Google Drive) that drop weaponized archives.
- Implement strict controls against executing unauthorized executables disguised as documents (.exe files masquerading as .doc/.pdf).
- Apply security policies to detect and block DLL side-loading attacks leading to the execution of known malicious components.
- Ensure endpoint detection and response (EDR) systems are tuned to identify the signature and behavior of the PUBLOAD, Pubshell, and Claimloader malware families.
- Maintain vigilance regarding politically motivated spear-phishing, using current events (like WPCT) as lures.