"New Cyberespionage Campaign Targeting ISPs, Research Entities"

ESET researchers have spotted a cyberespionage campaign involving a previously undocumented Korplug variant by the Mustang Panda Advanced Persistent Threat (APT) group. The campaign takes advantage of the war in Ukraine and other European news topics. Targets include research entities, Internet service providers (ISPs), and European diplomatic missions in East and Southeast Asia. The new Korplug variant has been dubbed Hodur because it resembles the THOR variant documented in 2020. Those who have fallen victim to the new campaign were likely lured with phishing documents that exploit Russia's invasion of Ukraine and other latest events in Europe. For example, one of the filenames related to this campaign is "Situation at the EU borders with Ukraine.exe." Other phishing lures used in this campaign mention COVID-19 travel restriction updates, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council. These lures show that the APT group behind the campaign is closely following current affairs to quickly react to them. According to ESET researchers, code similarities and the commonalities in Tactics, Techniques, and Procedures (TTPs) suggest Mustang Panda, also known as TA416, RedDelta, or PKPLUG is behind the campaign. This cyberespionage group is known to mainly target governmental entities and Non-Governmental Organizations (NGOs). This article continues to discuss the latest findings regarding the new cyberespionage campaign abusing the latest events.

Help Net Security reports "New Cyberespionage Campaign Targeting ISPs, Research Entities"