Mustang Panda, a China-based threat actor, has been improving and adding tools to attack firms located in Asia, the European Union, Russia, and the U.S.

“Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves,” Cisco Talos said in a new report detailing the group’s evolving modus operandi.

Since 2012, the group has targeted several organizations using email-based social engineering to gain access to drop PlugX, a backdoor predominantly used for long-term access.

Phishing messages, part of a campaign are duplicitous, wrapped with official European Union reports on the Russia-Ukraine conflict or Ukrainian government reports, both of the messages to plant malware in targeted systems

Phishing messages are customized to target various entities in the U.S. and several Asia countries like Myanmar, Hong Kong, Japan and Taiwan.

The observation aligns with a recent report from Secureworks that the group is possibly targeting Russian government officials using a decoy having PLugX that masked itself as a border report detachment to Blagoveshehensk.

But similar attacks detected towards the end of March 2022 show that the actors are updating their tactics by reducing the remote URLs used to obtain different components of the infection chain.

Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft.

“By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft,” Talos researchers said.