Monday, March 4, 2024

MQsTTang – Chinese Hackers Using Custom Malware To Evade AV Detection

In a recent analysis, MQsTTang, a newly designed custom backdoor, has been scrutinized by ESET researchers. After a thorough investigation, the source of this malware has been attributed to the infamous Mustang Panda APT group by the experts.

Tracing back to early January 2023, this ongoing campaign is attributed to the newly discovered backdoor. Customized versions of the PlugX malware are the weapon of choice for the notorious Mustang Panda APT group (aka TA416 and Bronze President), recognized for their worldwide data theft attacks.

This group operates as an advanced persistent threat (APT), with the intent to steal sensitive information from targeted organizations.

The latest malware, MQsTTang, introduced by Mustang Panda APT group, seems to be an original creation, not based on any prior malware. This suggests that the hackers designed it to bypass detection and restrict attribution to their group.


With its primary focus on Taiwan and Ukraine, the ongoing campaign targets government and political organizations in Europe and Asia. It is pertinent to note that these regions have been on the radar of many notorious hacking groups for their geopolitical importance.

Targetting countires

Spear-phishing emails are the preferred mode for the distribution of the malware, while the payloads are downloaded from GitHub repositories created by a user affiliated with past campaigns of the Mustang Panda.

The malware in question is compressed in RAR archives and is executable once unzipped, and its file names have a distinctive diplomacy theme. 

Attack chain

According to ESET Report, MQsTTang is a “barebones” backdoor that provides the threat actor with remote command execution capabilities on the victim’s computer and allows them to receive the output of the commands.

The malware duplicates itself upon execution and includes a command-line argument that initiates several operations. Persistence is achieved by creating a new registry key under the following path to initiate the malware during system startup:-

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

There is only one task that is executed after rebooting, and that is the C2 communication task. The novel backdoor has an atypical trait in that it utilizes the MQTT protocol for facilitating communication between the command and control server.

The malware is imbued with an inherent ability to withstand command and control (C2) takedowns and evade detection by defenders. 

This is owing to the employment of MQTT, which facilitates communication through a broker and keeps the attacker’s infrastructure hidden. This makes it a less detectable choice compared to other commonly used C2 protocols that are frequently scrutinized by defenders.

In order to remain undetected, the MQsTTang malware employs a mechanism to detect the presence of debugging or monitoring tools on the host system. If any such tools are identified, the malware adapts its behavior to avoid detection.

Analysts at Trend Micro recently detected another instance of a Mustang Panda operation that spanned from March to October 2022. 

It is currently uncertain whether the MQsTTang malware will be incorporated into the long-term arsenal of the group responsible for its development or if it was created solely for a specific operation.

Indicators of Compromise


A1C660D31518C8AFAA6973714DE30F3D576B68FCCVs Amb.rarWin32/Agent.AFBIRAR archive used to distribute MQsTTang backdoor.
430C2EF474C7710345B410F49DF853BDEAFBDD78CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exeWin32/Agent.AFBIMQsTTang backdoor.
F1A8BF83A410B99EF0E7FDF7BA02B543B9F0E66CDocuments.rarWin32/Agent.AFBIRAR archive used to distribute MQsTTang backdoor.
02D95E0C369B08248BFFAAC8607BBA119D83B95BPDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXEWin32/Agent.AFBIMQsTTang backdoor.
0EA5D10399524C189A197A847B8108AA8070F1B1Documents members of delegation diplomatic from Germany.ExeWin32/Agent.AFBIMQsTTang backdoor.
982CCAF1CB84F6E44E9296C7A1DDE2CE6A09D7BBDocuments.rarWin32/Agent.AFBIRAR archive used to distribute MQsTTang backdoor.
740C8492DDA786E2231A46BFC422A2720DB0279A23 from Embassy of Japan.exeWin32/Agent.AFBIMQsTTang backdoor.
AB01E099872A094DC779890171A11764DE8B4360BoomerangLib.dllWin32/Korplug.THKnown Mustang Panda Korplug loader.
61A2D34625706F17221C1110D36A435438BC0665breakpad.dllWin32/Korplug.UBKnown Mustang Panda Korplug loader.
30277F3284BCEEF0ADC5E9D45B66897FA8828BFDcoreclr.dllWin32/Agent.ADMWKnown Mustang Panda Korplug loader.
BEE0B741142A9C392E05E0443AAE1FA41EF512D6HPCustPartUI.dllWin32/Korplug.UBKnown Mustang Panda Korplug loader.
F6F3343F64536BF98DE7E287A7419352BF94EB93HPCustPartUI.dllWin32/Korplug.UBKnown Mustang Panda Korplug loader.
F848C4F3B9D7F3FE1DB3847370F8EEFAA9BF60F1libcef.dllWin32/Korplug.TXKnown Mustang Panda Korplug loader.

Network Security Checklist – Download Free E-Book


Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles