Mustang Panda (also tracked as Hive0154, Earth Preta, or Camaro Dragon), a China-aligned advanced persistent threat (APT) group, has deployed PUBLOAD and Pubshell malware in a targeted cyber espionage campaign against the Tibetan community. This operation leverages Tibet-themed lures to deliver multi-stage malware for persistent access and data exfiltration.
Attack Methodology
The campaign employs sophisticated spear-phishing tactics like emails referencing culturally sensitive topics, such as The 9th World Parliamentarians’ Convention on Tibet (June 2025), China’s education policies in Tibet, and The Dalai Lama’s 2025 book Voice for the Voiceless.
Google Drive links distribute weaponized ZIP/RAR archives containing benign decoy documents (e.g., Tibetan news articles, event photos) with added malicious executables disguised as documents using double extensions. Victims open executables, triggering DLL sideloading, where legitimate processes (e.g., UsbConfig.exe) load malicious DLLs like Claimloader
Malware Functionality
PUBLOAD
Acts as a primary downloader and reconnaissance tool:
• Establishes persistence via registry keys or scheduled tasks
• Uses TripleDES encryption to decrypt embedded payloads
• Conducts system reconnaissance and file collection (targeting .DOCX, .PDF, etc.)
• Fetches next-stage payloads from C2 servers
Pubshell
A lightweight backdoor deployed by PUBLOAD:
• Establishes reverse shell connections for immediate system access
• Injects payloads directly into memory to evade detection
• Uses XOR-encrypted API calls for communication with C2 servers
Technical Evasion Techniques
• DLL Sideloading: Masks malicious code within legitimate processes
• Encrypted Traffic: Communicates via TLS 1.2 Application Data packets without visible handshakes
• Memory Injection: Avoids disk writes by executing payloads in RAM
• Hiupan Worm Variant: Propagates via infected USB drives in parallel campaigns
Geopolitical Context
Targets include Tibetan diaspora organizations, with submissions traced to India (location of Tibet’s government-in-exile). The campaigns align with politically sensitive dates (e.g., Dalai Lama’s 90th birthday). However, there has been broader targeting observed against U.S. Navy and Asia-Pacific entities
