Introduction
Mustang Panda, also known as RedDelta or Bronze President, is a sophisticated cyber-espionage group believed to be state sponsored by the People’s Republic of China (PRC). The group has been active since at least 2014, targeting various sectors including government, non-governmental organisations (NGOs), and private enterprises across Europe, Asia, and the United States.
Malware Overview
Mustang Panda is primarily known for its use of the PlugX malware, a Remote Access Trojan (RAT) that allows attackers to gain control over infected systems. PlugX is highly versatile and can perform a range of malicious activities, including data exfiltration, keylogging, and remote command execution.
Infection Vectors
The group employs several methods to distribute PlugX, including spear-phishing emails, malicious attachments, and compromised websites. One notable technique involves the use of USB flash drives to spread the malware, exploiting the autorun feature to infect systems when the drive is connected.
Technical Details
Impact and Mitigation
The impact of Mustang Panda’s activities can be severe, leading to significant data breaches, intellectual property theft, and disruption of critical services. Organisations are advised to implement robust cyber security measures, including:
Conclusion
Mustang Panda represents a significant threat to global cyber security, leveraging advanced techniques and tools to conduct espionage and data theft. Continuous vigilance and proactive security measures are essential to defend against such sophisticated adversaries.
References:
FBI Reveals Major Malware Attack From China Group ‘Mustang Panda’ (newsweek.com)
FBI Erases China-Sponsored Malware from Thousands of U.S. Computers (msn.com)
Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers (justice.gov)
A cyber crime network named Sneaky Log has been selling phishing kits that allow the circumnavigation of two-factor authentication on Microsoft 365 accounts.
In December 2024, an adversary-in-the-middle phishing kit was discovered to be targeting Microsoft 365 accounts. The campaign is believed to have begun in October 2024. The kit is being sold as Phishing-as-a-Service (PhaaS) and it is operated through a fully-featured bot on the Telegram platform. Emails observed from this phishing campaign typically present as receipts of payment. The receipt will then contain a PDF attachment with a QR code that redirects the recipient to one of the phishing sites. To increase credibility, these phishing pages are often hosted on compromised infrastructure, such as a WordPress site that has been hijacked. The phishing pages are crafted to impersonate legitimate Microsoft login pages, which display blurred background images to increase their credibility.
The sneaky 2FA phishing kit has several anti-detection measures such as Cloudflare turnstile challenges, which block automated traffic. It also utilises traffic filtering to ensure only legitimate victims are being redirected to the credential harvesting sites.
Once the user inputs their credentials and 2FA code, it is captured by the kit and gives the attackers access to the user’s account.
The Human Risk Management module from Norm Cyber can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious emails and links. It is also recommended to take a minute to assess an email or message before responding and never give any remote access to your device.
References:
Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service (blog.sekoia.io)
The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts (cybersecsentinel.com)
New ‘Sneaky 2FA’ Phishing Kit Exploits Microsoft 365 Accounts with 2FA Evasion Tactics (owlysec.com)
As 2025 begins, IT professionals worldwide are bracing for a challenging patch management landscape. Microsoft has marked the new year with a record-breaking Patch Tuesday, addressing 159 vulnerabilities across its ecosystem. Among these, three critical flaws in Hyper-V (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) demand immediate attention.
These remote code execution (RCE) vulnerabilities expose virtualised environments to the alarming possibility of complete compromise by exploiting weaknesses in the hypervisor. This underscores a troubling shift in cybercriminal tactics, as attackers increasingly target the underlying infrastructure that forms the backbone of modern IT. To stay ahead, organisations must bolster their defences and adapt to this evolving threat landscape.
Hyper-V: A Vital Pillar Under Threat
Virtualisation is no mere buzzword; it’s the cornerstone of modern computing. From hosting enterprise applications to powering cloud services, Hyper-V is integral to keeping businesses agile and scalable. This ubiquity, however, also paints a target on its back.
With CVSS scores soaring above 9, these vulnerabilities allow attackers to execute arbitrary code on Hyper-V hosts. Exploiting them could provide adversaries with access not only to the host but potentially to every virtual machine (VM) within the environment. This isn’t merely a breach – it’s a cascading failure in the making.
What makes these vulnerabilities particularly dangerous is the shifting threat landscape. In the past, attackers focused on endpoints and individual servers. Today, they aim higher, seeking to exploit the infrastructure that connects and manages those systems. Virtualisation platforms, sitting at the heart of IT environments, offer a treasure trove of opportunities for lateral movement, privilege escalation, and data exfiltration.
Proof-of-concept exploits for these vulnerabilities have already surfaced in underground forums. While they are not yet weaponised, history teaches us it’s only a matter of time. The window for patching and securing systems is closing quickly.
Building Resilience: Hardening Your Defences
If the thought of an attacker hopping from VM to VM keeps you up at night, you’re not alone. But panic isn’t a strategy; preparation is. Here’s how to fortify your Hyper-V environment:
The Bottom Line
The Hyper-V vulnerabilities underscore the growing sophistication of cyber adversaries. Attackers aren’t just looking to breach the front door; they’re targeting the structural beams holding IT environments together.
As the lines between the physical and virtual blur, safeguarding virtualisation platforms like Hyper-V is no longer optional – it’s critical. Every patch, every segmentation policy, and every monitoring tool adds a layer of protection to an increasingly targeted landscape. The adversaries are evolving; it’s time our defences do too. Let’s make 2025 the year of resilient virtualisation.
References:
CVE-2025-21333 – Security Update Guide – Microsoft – Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability (msrc.microsoft.com)
CVE-2025-21334 – Security Update Guide – Microsoft – Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability (msrc.microsoft.com)
CVE-2025-21335 – Security Update Guide – Microsoft – Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability (msrc.microsoft.com)
Known Exploited Vulnerabilities Catalog (cisa.gov)
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
