The China-backed cyber-espionage group known as Mustang Panda has significantly upgraded its malware arsenal, according to recent cybersecurity research. These new tools are designed for increased stealth and persistence, posing a greater threat to governments, NGOs, and corporations worldwide. The group’s enhanced capabilities focus on evading detection, making it much more difficult for security professionals to track and stop their attacks on sensitive networks.
A Closer Look at the New Espionage Tools
Mustang Panda, also known as Bronze President or TA416, has a long history of targeting strategic organizations. Their latest toolkit shows a clear focus on improving how they steal data and remain hidden inside a compromised network.
Two new keyloggers, PAKLOG and CorKLOG, are central to this upgrade. PAKLOG is designed to capture keystrokes and clipboard data, which is perfect for stealing login details and confidential information. CorKLOG advances this by adding encryption to the stolen data, protecting it even if the malware is discovered.
Interestingly, neither of these keyloggers can send the stolen data back to the attackers on their own. This suggests Mustang Panda is using manual methods to retrieve the data, adding a layer of stealth that automated systems might miss.
Upgrading Backdoors for Persistent Access
The group has also refined its well-known backdoor, “ToneShell.” This tool allows attackers to maintain long-term access to an infected computer. The latest version includes subtle changes to how it communicates with its command-and-control servers, helping it slip past traditional security software.
Alongside this, a new tool called StarProxy has been introduced to help the attackers move laterally across a network. Once inside, they can use StarProxy to spread from one machine to another. It uses a protocol called FakeTLS to disguise its malicious traffic as normal, encrypted data, making it very hard to spot.
Disabling Defenses with Kernel-Level Malware
Perhaps the most alarming new tool is SplatCloak, a driver that directly targets and bypasses antivirus software. By operating at the kernel level, the very core of the operating system, it can disable critical functions used by security products like Windows Defender and Kaspersky to detect threats.
SplatCloak is deployed by another utility called SplatDropper. After installing the driver, SplatDropper deletes itself to remove any trace of the initial infection. This hit-and-run tactic makes it extremely difficult for security teams to figure out how the system was compromised.
Here is a quick overview of the new and updated tools in Mustang Panda’s arsenal:
| Tool Name | Tool Type | Primary Function |
| PAKLOG | Keylogger | Captures keystrokes and clipboard data. |
| CorKLOG | Keylogger | Captures and encrypts keystroke data for persistence. |
| ToneShell | Backdoor | Maintains persistent access to compromised systems. |
| StarProxy | Lateral Movement Tool | Spreads across a network using disguised traffic. |
| SplatCloak | Antivirus Bypass Driver | Disables security software at the kernel level. |
What this Means for Global Cybersecurity
The continuous evolution of Mustang Panda’s toolkit demonstrates a calculated and patient approach to cyber espionage. Researchers from Zscaler note that these updates significantly improve the group’s ability to remain undetected while carrying out their missions.
This increased sophistication means that organizations can no longer rely on basic defense measures. The ability of this malware to disable security software from within makes proactive defense more critical than ever.
To mitigate the risk of an attack from a group like Mustang Panda, experts recommend that organizations take several key steps:
- Employ advanced endpoint security that can detect and respond to threats that bypass traditional antivirus software.
- Conduct regular network traffic analysis to look for unusual patterns, even in encrypted traffic, that might indicate a tool like StarProxy is active.
- Be vigilant for signs of lateral movement, as this is a key indicator that an attacker is already inside the network and expanding their control.
By staying informed and implementing a layered security strategy, organizations can better defend themselves against these increasingly stealthy and persistent threats.
