This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 4 minutes read

Ankura CTIX FLASH Update - March 3, 2023

Malware Activity

New "MQsTTang" Backdoor Identified and Attributed to Mustang Panda

"MQsTTang", a new custom backdoor, has been discovered and attributed to the Chinese advanced persistence threat (APT) group Mustang Panda. Researchers observed this malware in an ongoing social engineering campaign that likely began in January 2023 and appears to be targeting government and political organizations in Europe, Asia, and Australia. Researchers noted that the malware "doesn't seem to be based on existing families or publicly available projects" and does not follow the group's usual tactics. The initial attack vector is believed to be through spearphishing. MQsTTang is being distributed through RAR archives, which contain single executables that are commonly named as phrases related to passports or diplomacy. MQsTTang uses the MQTT protocol for its command-and-control (C2) communication, which is not a technique typically used amongst publicly documented malware families. Researchers explained that the MQTT protocol is commonly used for communication between Internet of Things (IoT) devices and controllers, but a benefit to using it in malware is the protocol's ability to hide the malware's infrastructure behind a broker, ensuring that the victim machine does not communicate directly with the C2 server. This is executed through using the open-source QMQTT library, which depends on the Qt framework. A large portion of the framework is "statically linked in the malware" and used for malware development, which is another unusual tactic. Researchers are urged to closely monitor Mustang Panda's development as they delve into tactic, techniques, and procedures (TTPs) rarely observed in their arsenal. Additional technical details of MQsTTang and Mustang Panda as well as indicators of compromise (IOCs) can be viewed in the report linked below.

Threat Actor Activity

Blackfly (APT41) Expands Toolset, Targets Asia

Threat actors from the Blackfly organization have begun targeting entities throughout Asia in a new cyberespionage campaign. The group, commonly tracked as APT41, is a state-sponsored espionage group backed by the Chinese government. These actors have been conducting malicious activity since 2010, often times compromising assets to gain intelligence benefiting China's geopolitical policies. Earlier Blackfly attacks targeted the gaming industry but over time expanded to targeting a wide umbrella of entities throughout the telecommunications, manufacturing, medical, hospitality, natural resources, and food industries. Recently, the threat actors conducted attacks against Asian materials and composites entities, including two (2) subsidiaries of an Asian conglomerate believed to be in search of intellectual property to exfiltrate. Blackfly has incorporated a variety of malicious programs into their attacks since the latter half of 2022, including variants of the “Winnkit” backdoor, Mimikatz credential dumping, ForkPlayground memory dump, and a basket full of proxy configurations. Despite a significant setback in 2020 after multiple group members were arrested, Blackfly continues to operate with motivation for carrying out cyberespionage operations and is likely to do so in the coming future.


Quantum Computing: Researchers Identify that CRYSTALS-Kyber, a Post-Quantum Algorithm, May Be Vulnerable to Exploitation

A future quantum computing general-purpose algorithm standard selected by the U.S. National Institute of Standards and Technology (NIST) could be vulnerable to exploitation. Researchers from Sweden's KTH Royal Institute claim to have identified a security vulnerability impacting the quantum safe algorithm known as CRYSTALS-Kyber, which may be vulnerable to a side-channel attack. A side-channel attack is any attack based on extra information gathered because of the fundamental way a computer protocol or algorithm is implemented rather than flaws in the design of the protocol or algorithm itself. In the case of CRYSTALS-Kyber, the miniscule pieces of data that are leaked, as a byproduct of the way the algorithm functions, were collected and observed by researchers leveraging a neural network training method called recursive learning. In this side channel attack, the small data units leaked by the algorithm were analyzed for "small variations in power consumption or electromagnetic radiation to reconstruct what the machine is doing and find clues that would enable access." Successful exploitation could allow unauthenticated threat actors to access and exfiltrate privileged information. Notably, this attack didn't crack the algorithm itself and instead exploited a specific practical application implementation of the of the algorithm. Although this came as a surprise to the researchers, they did state that this finding is very beneficial since it is necessary to research these types of attacks prior to quantum computing becoming generally available to the public.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team ( if additional context is needed.

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


cyber response, data privacy & cyber risk, cybersecurity & data privacy, data & technology, f-risk, memo

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with