{
  "name": "Chinese APT Target Royal Thai Police in Malware Campaign",
  "slug": "chinese-apt-target-royal-thai-police-in-malware-campaign",
  "description": "A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the Yokai backdoor. The attack, consistent with the Chinese APT group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process commands from a disguised PDF. The malware, a trojanized version of PDF-XChange Driver Installer, dynamically resolves API calls to evade detection and establishes persistence through registry modification. It connects to a C2 server at 154.90.47.77 over TCP Port 443, with geo-locking to Thailand. This campaign appears to be part of a broader effort targeting Thai officials, highlighting the ongoing cyber espionage landscape in Southeast Asia.",
  "published": "2025-02-25T23:13:02+00:00",
  "created_at": "2025-02-25T23:13:02+00:00",
  "modified_at": "2025-02-26T08:15:37+00:00",
  "created_at_opencti": "2025-02-25T23:13:02+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-02-26",
    "apt",
    "china",
    "espionage",
    "phishing",
    "yokai"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "52807103-44ca-4970-8a01-2bdf451d5982",
        "name": "Yokai",
        "slug": "yokai"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d84a7548-8d06-45c7-80bf-46911d6e40c0",
        "name": "Mustang Panda",
        "slug": "mustang-panda"
      }
    ],
    "attack_patterns": [
      {
        "id": "1584b551-72fb-4f60-ba7a-bdac106e6f9b",
        "name": "T1560.001"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Thailand"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://www.cadosecurity.com/blog/chinese-apt-target-royal-thai-police-in-malware-campaign",
    "https://otx.alienvault.com/pulse/67be5c8ea6089f30aae6daac"
  ]
}