Linux malware

MQsTTang – Chinese Hackers Using Custom Malware To Evade AV Detection

In a recent analysis, MQsTTang, a newly designed custom backdoor, has been scrutinized by ESET researchers. After a thorough investigation, the source of this malware has been attributed to the infamous Mustang Panda APT group by the experts.

Tracing back to early January 2023, this ongoing campaign is attributed to the newly discovered backdoor. Customized versions of the PlugX malware are the weapon of choice for the notorious Mustang Panda APT group (aka TA416 and Bronze President), recognized for their worldwide data theft attacks.

This group operates as an advanced persistent threat (APT), with the intent to steal sensitive information from targeted organizations.

The latest malware, MQsTTang, introduced by Mustang Panda APT group, seems to be an original creation, not based on any prior malware. This suggests that the hackers designed it to bypass detection and restrict attribution to their group.


With its primary focus on Taiwan and Ukraine, the ongoing campaign targets government and political organizations in Europe and Asia. It is pertinent to note that these regions have been on the radar of many notorious hacking groups for their geopolitical importance.

Targetting countires

Spear-phishing emails are the preferred mode for the distribution of the malware, while the payloads are downloaded from GitHub repositories created by a user affiliated with past campaigns of the Mustang Panda.

The malware in question is compressed in RAR archives and is executable once unzipped, and its file names have a distinctive diplomacy theme. 

Attack chain

According to ESET Report, MQsTTang is a “barebones” backdoor that provides the threat actor with remote command execution capabilities on the victim’s computer and allows them to receive the output of the commands.

The malware duplicates itself upon execution and includes a command-line argument that initiates several operations. Persistence is achieved by creating a new registry key under the following path to initiate the malware during system startup:-

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

There is only one task that is executed after rebooting, and that is the C2 communication task. The novel backdoor has an atypical trait in that it utilizes the MQTT protocol for facilitating communication between the command and control server.

The malware is imbued with an inherent ability to withstand command and control (C2) takedowns and evade detection by defenders. 

This is owing to the employment of MQTT, which facilitates communication through a broker and keeps the attacker’s infrastructure hidden. This makes it a less detectable choice compared to other commonly used C2 protocols that are frequently scrutinized by defenders.

In order to remain undetected, the MQsTTang malware employs a mechanism to detect the presence of debugging or monitoring tools on the host system. If any such tools are identified, the malware adapts its behavior to avoid detection.

Analysts at Trend Micro recently detected another instance of a Mustang Panda operation that spanned from March to October 2022. 

It is currently uncertain whether the MQsTTang malware will be incorporated into the long-term arsenal of the group responsible for its development or if it was created solely for a specific operation.

Indicators of Compromise


A1C660D31518C8AFAA6973714DE30F3D576B68FCCVs Amb.rarWin32/Agent.AFBIRAR archive used to distribute MQsTTang backdoor.
430C2EF474C7710345B410F49DF853BDEAFBDD78CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exeWin32/Agent.AFBIMQsTTang backdoor.
F1A8BF83A410B99EF0E7FDF7BA02B543B9F0E66CDocuments.rarWin32/Agent.AFBIRAR archive used to distribute MQsTTang backdoor.
02D95E0C369B08248BFFAAC8607BBA119D83B95BPDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXEWin32/Agent.AFBIMQsTTang backdoor.
0EA5D10399524C189A197A847B8108AA8070F1B1Documents members of delegation diplomatic from Germany.ExeWin32/Agent.AFBIMQsTTang backdoor.
982CCAF1CB84F6E44E9296C7A1DDE2CE6A09D7BBDocuments.rarWin32/Agent.AFBIRAR archive used to distribute MQsTTang backdoor.
740C8492DDA786E2231A46BFC422A2720DB0279A23 from Embassy of Japan.exeWin32/Agent.AFBIMQsTTang backdoor.
AB01E099872A094DC779890171A11764DE8B4360BoomerangLib.dllWin32/Korplug.THKnown Mustang Panda Korplug loader.
61A2D34625706F17221C1110D36A435438BC0665breakpad.dllWin32/Korplug.UBKnown Mustang Panda Korplug loader.
30277F3284BCEEF0ADC5E9D45B66897FA8828BFDcoreclr.dllWin32/Agent.ADMWKnown Mustang Panda Korplug loader.
BEE0B741142A9C392E05E0443AAE1FA41EF512D6HPCustPartUI.dllWin32/Korplug.UBKnown Mustang Panda Korplug loader.
F6F3343F64536BF98DE7E287A7419352BF94EB93HPCustPartUI.dllWin32/Korplug.UBKnown Mustang Panda Korplug loader.
F848C4F3B9D7F3FE1DB3847370F8EEFAA9BF60F1libcef.dllWin32/Korplug.TXKnown Mustang Panda Korplug loader.

Network Security Checklist – Download Free E-Book


BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Free Threat Hunting Platform Security Onion Released Updates – What’s New!

The third Beta version of Security Onion 2.4 is made available by Security Onion Solutions.…

9 hours ago

Toyota Server Misconfiguration Leaks Owners Data for Over Seven Years

The Leak discloses Address, Vehicle Identification Number (VIN), Email address, Phone number, Name, and Vehicle…

14 hours ago

Dark Pink APT Group Compromised 13 Organizations in 9 Countries

Dark Pink has successfully targeted 13 organizations across 9 countries, highlighting the extent of their…

1 day ago

Hackers Exploit Barracuda Zero-Day Flaw Since 2022 to Install Malware

This vulnerability exists due to improper processing, validation, and sanitization of the names of the…

2 days ago

Critical Jetpack WordPress Flaw Exposes Millions of Website

This vulnerability could be used by authors on a site to manipulate any files in…

2 days ago

Shut Down Phishing Attacks – Types, Methods, Detection, Prevention Checklist

In today's interconnected world, where digital communication and transactions dominate, phishing attacks have become an…

2 days ago