216.73.217.176

Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit

· Published 05/09/2024 16:10 · Modified 05/09/2024 16:47

Export JSON

Essential information

Published
05/09/2024 16:10
Modified
05/09/2024 16:47
Tags
2024-09-05 dll sideloading gh0st rat phishing pif file toneshell
Related entities
4 observables, 1 intrusion sets (apt), 10 techniques (mitre), 3 malware, 3 others

Description

A cyber espionage campaign using the backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The malware establishes persistence through registry run keys and scheduled tasks, communicating with a C2 server in Hong Kong using raw TCP mimicking TLS. The campaign highlights the intersection of cyber espionage and international strategy, aiming to infiltrate sensitive defense discussions. Analysis revealed connections to previously reported APT-Q-27 activities and potential links to other infrastructure through shared RDP certificates.

External references