147/68 Tuesday, April 22, 2025
Security researchers from Zscaler have revealed that Mustang Panda, a sophisticated APT group linked to the Chinese government (also known as Bronze President, Stately Taurus, TA416), has expanded its cyber arsenal with four new attack tools. These include two keyloggers, a lateral movement tool, and an EDR evasion driver. The group has also updated its primary backdoor, ToneShell, with more advanced capabilities.
The newly discovered tools include two keyloggers, PAKLOG and CorKLOG. PAKLOG is designed to capture keystrokes and clipboard data, while CorKLOG focuses on persistence and encrypting the captured data. Both tools log the data locally on the infected machine without automatically transmitting it to a command-and-control (C2) server, suggesting that the attackers might use other tools or direct access to extract the data. Another tool, StarProxy, is a novel proxy tool that uses FakeTLS techniques to mimic legitimate TLS encryption, helping disguise communication with the C2 server. It is also used for spreading laterally within a network once access has been established.
A particularly concerning tool is SplatCloak, a kernel-level driver designed to disable components of Windows Defender and Kaspersky by suppressing callbacks used for monitoring suspicious behavior, thereby allowing other malware to operate undetected. This tool is deployed via a utility named SplatDropper, which self-deletes after execution.
Additionally, the group has upgraded ToneShell, a widely used backdoor, improving its infection identification and C2 communication methods. StarProxy also plays a key role as a network proxy, enabling compromised hosts to connect to other systems within the same network and facilitate lateral movement.
These updates reflect Mustang Panda’s ongoing efforts to enhance the stealth and efficiency of their attacks, making them harder to detect and more effective. Network administrators are advised to remain vigilant and monitor for signs of these advanced threats.
Source https://www.darkreading.com/cloud-security/chinese-apt-mustang-panda-4-attack-tools
