Full Report
Unit 42 details the just-discovered connection between threat group Stately Taurus (aka Mustang Panda) and the malware Bookworm, found during analysis of the group's infrastructure. The post Stately Taurus Activity in Southeast Asia Links to Bookworm Malware appeared first on Unit 42.
Analysis Summary
# Threat Actor: Stately Taurus
## Attribution & Identity
Stately Taurus is the threat actor associated with the activity described. Unit 42 has now confidently associated this group with the **Bookworm** malware after nearly a decade since its first discovery.
## Activity Summary
Stately Taurus has been observed engaging in activity targeting organizations in countries affiliated with the **Association of Southeast Asian Nations (ASEAN)**. Specifically noted activity includes attacks detailed in a January 2024 CSIRT CTI post concerning attacks in **Myanmar**. These attacks involved the delivery of the **PubLoad** malware.
## Tactics, Techniques & Procedures
- Use of **DLL sideloading** as a common technique to execute payloads.
- Delivery of the **PubLoad** malware.
- Use of infrastructure overlapping with that used by a variant of the **Bookworm** malware.
## Targeting
- Sectors: Not explicitly detailed, but general targeting of organizations in the region.
- Geography: Countries affiliated with **ASEAN**, with specific mention of **Myanmar**.
- Victims: Not specifically named.
## Tools & Infrastructure
- Malware families used: **PubLoad** (believed to be unique to this group) and **Bookworm** malware variants.
- Infrastructure: Overlaps observed in infrastructure used for both Bookworm and Stately Taurus activity.
## Implications
Stately Taurus is an established threat actor, whose connection to the long-standing Bookworm malware is now confirmed. Their continued activity in Southeast Asia, utilizing methods like DLL sideloading and custom malware (PubLoad), poses a persistent threat to regional entities.
## Mitigations
- Leverage **Cortex XDR and XSIAM**.
- Utilize **Cloud-Delivered Security Services** for the Next-Generation Firewall, including:
- **Advanced WildFire**
- **Advanced Threat Prevention**
- **Advanced URL Filtering**
- **Advanced DNS Security**