216.73.217.139

Chinese APT Target Royal Thai Police in Malware Campaign

· Published 26/02/2025 00:13 · Modified 26/02/2025 09:15

Export JSON

Essential information

Published
26/02/2025 00:13
Modified
26/02/2025 09:15
Tags
2025-02-26 apt china espionage phishing yokai
Related entities
1 intrusion sets (apt), 8 techniques (mitre), 1 malware, 2 others

Description

A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the backdoor. The attack, consistent with the Chinese group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process commands from a disguised PDF. The malware, a trojanized version of PDF-XChange Driver Installer, dynamically resolves API calls to evade detection and establishes persistence through registry modification. It connects to a C2 server at 154.90.47.77 over TCP Port 443, with geo-locking to Thailand. This campaign appears to be part of a broader effort targeting Thai officials, highlighting the ongoing cyber landscape in Southeast Asia.

External references