Chinese APT Target Royal Thai Police in Malware Campaign
Feb. 26, 2025, 9:15 a.m.
Description
A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the Yokai backdoor. The attack, consistent with the Chinese APT group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process commands from a disguised PDF. The malware, a trojanized version of PDF-XChange Driver Installer, dynamically resolves API calls to evade detection and establishes persistence through registry modification. It connects to a C2 server at 154.90.47.77 over TCP Port 443, with geo-locking to Thailand. This campaign appears to be part of a broader effort targeting Thai officials, highlighting the ongoing cyber espionage landscape in Southeast Asia.
Tags
Date
- Created: Feb. 26, 2025, 12:13 a.m.
- Published: Feb. 26, 2025, 12:13 a.m.
- Modified: Feb. 26, 2025, 9:15 a.m.
Attack Patterns
- Yokai
- Mustang Panda
- T1560.001
- T1574.002
- T1059.003
- T1547.001
- T1113
- T1071.001
- T1036
- T1027
Additional Informations
- Government
- Thailand