More details emerge on China’s widespread Ukraine-related hacking efforts

China's decade-old Mustang Panda hacking group is adjusting both its tactics and lures, researchers say.
The flag of the People's Republic of China flies in the wind above the Consulate General of the People's Republic of China in San Francisco, California on July 23, 2020. (Photo by PHILIP PACHECO/AFP via Getty Images)

More details are emerging about the activities of a prolific Chinese government hacking group and how it’s used Russia’s invasion of Ukraine as part of its ongoing efforts to infiltrate a diverse range of target networks across three continents in pursuit of espionage and information theft.

Mustang Panda — otherwise known as Bronze President, HoneyMyte or RedDelta — has been targeting European and Russian entities using topical phishing lures coinciding roughly with the start of the Russian war to deliver malware. Some of the activity has been reported, but researchers with Cisco’s Talos Intelligence Group detailed Thursday previously unreported file samples, website domains and IP addresses associated with the wide-ranging campaigns.

“Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves.”

Cisco’s Talos threat intelligence Researchers

The role of Chinese hacking efforts in connection with Russia’s invasion has been closely watched, but so far there hasn’t been substantial public reporting that the country’s open political alliance with Russia is reflected in its cyber efforts. Instead, Chinese hacking activities have followed traditional patterns of establishing long-term persistence in target networks in furtherance of espionage and information theft objectives.


“Over the years, Mustang Panda has evolved their tactics and implants to target a wide range of entities spanning multiple governments in three continents, including the European Union, the U.S., Asia and pseudo allies such as Russia,” the researchers wrote. “Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves.”

In early March cybersecurity researchers with both Google’s Threat Analysis Group and Proofpoint detailed Mustang Panda campaigns targeting European diplomatic entities with topical phishing lures, particularly with respect to refugee and migrant services.

Last week, Secureworks Counter Threat Unit published findings on the group’s use in early March of an English-language decoy document with a Russian title discussing refugee and migrant pressures on Belarus to deliver its well-known PlugX malware variant. That campaign targeted a border guard unit in an eastern Russia town along the Chinese border.

Thursay’s report from Talos discusses the same decoy document, but notes that by the end of March, Mustang Panda updated its tactics to reduce the remote URLs used to host and deploy the various parts of the malware. The researchers found examples of this behavior in two English-titled files related to the war on Ukraine and directed at unnamed targets.

The research also details a previously undisclosed Ukrainian-themed phishing lure with a title designed to make it look like it was an official statement from the National Security and Defense Council of Ukraine. The malware, sent to unnamed targets in late February, sought to establish a reverse shell, which would allow the attackers to deploy further attacks.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts