Chinese APT Target Royal Thai Police in Malware Campaign

Feb. 26, 2025, 9:15 a.m.

Description

A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the Yokai backdoor. The attack, consistent with the Chinese APT group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process commands from a disguised PDF. The malware, a trojanized version of PDF-XChange Driver Installer, dynamically resolves API calls to evade detection and establishes persistence through registry modification. It connects to a C2 server at 154.90.47.77 over TCP Port 443, with geo-locking to Thailand. This campaign appears to be part of a broader effort targeting Thai officials, highlighting the ongoing cyber espionage landscape in Southeast Asia.

External References

https://www.cadosecurity.com/blog/chinese-apt-target-royal-thai-police-in-malware-campaign
https://otx.alienvault.com/pulse/67be5c8ea6089f30aae6daac
Tags
apt
espionage
phishing
china
yokai
2025-02-26

Date

  • Created: Feb. 26, 2025, 12:13 a.m.
  • Published: Feb. 26, 2025, 12:13 a.m.
  • Modified: Feb. 26, 2025, 9:15 a.m.

Attack Patterns

  • Yokai
  • Mustang Panda
  • T1560.001
  • T1574.002
  • T1059.003
  • T1547.001
  • T1113
  • T1071.001
  • T1036
  • T1027

Additional Informations

  • Government
  • Thailand