safety researchers ESET have found a brand new customized backdoor that they named MQsTTang and attributed to the superior persistent menace (APT) group often known as panda mustang.

writing on a advisory Posted on March 2, 2023, ESET malware researcher Alexandre Côté Cyr defined that the brand new backdoor is a part of an ongoing marketing campaign that the corporate has been monitoring since early January.

“Not like a lot of the group’s malware, MQsTTang doesn’t look like based mostly on present households or publicly accessible tasks.”

Côté Cyr additionally famous that whereas Mustang Panda is thought for its Korplug (often known as PlugX) variants and elaborate payload chains, MQsTTang is a comparatively less complicated piece of malware.

“In a departure from the group’s common ways, MQsTTang is single-stage and doesn’t use any obfuscation strategies,” the malware knowledgeable wrote. It is usually distributed in RAR archives that solely comprise a single executable.

“These recordsdata are hosted on an online server with no related area title. This truth, together with the file names, leads us to imagine that the malware spreads by means of spear phishing.

As its title suggests, the backdoor takes benefit of the Message Queuing telemetry transport (MQTT), which is often used for communication between IoT units and controllers, for C&C communication.

“One of many advantages of MQTT is that it hides the remainder of the [its] infrastructure behind a hall. Subsequently, the compromised machine by no means straight communicates with the C&C server,” wrote Côté Cyr.

As for the targets, the researcher stated that Mustang Panda used the brand new backdoor to contaminate unknown entities in Australia and Bulgaria, in addition to a authorities establishment in Taiwan.

“Nonetheless, because of the nature of the decoy filenames, we imagine that political and authorities organizations in Europe and Asia are additionally being focused,” the ESET advisory says, including that the group beforehand focused organizations within the EU space.

The investigation comes two after the EU Company for Cybersecurity (ENISA) released a post warning member states towards numerous Chinese language APTs, together with Mustang Panda.