Mustang Panda targets European diplomats with Hodur. ESET cybersecurity experts: The China-linked APT exploits the Korplug malware variant with decoy documents on Russia’s invasion of Ukraine and COVID-19

Hodur is a new variant of the Korplug malware, actively exploited by Mustang Panda (aka TA 416) to target European diplomats, research institutes and ISPs . It has been discovered by ESET cybersecurity experts. The lures are decoy documents, especially on Russia’s invasion of Ukraine and COVID-19 travel restrictions. Korplug and Hodur are remote access trojans (RAT) whose original functionality have been implemented by the China-linked APT for cyber espionage purpose. Payloads are decrypted in memory, while only an encrypted form is ever written to the disk. Additionally, all strings are encrypted and Windows API function calls are obfuscated, while anti-execution measures also exist. Finally, persistence is achieved by adding a new registry entry to “Software\Microsoft\Windows\CurrentVersion\Run”, while the newly created directories that host the malware components are marked as “hidden” and “system.”