Avast linked a malware distribution and staging infrastructure with high confidence to a Mustang Panda-related threat actor that collected and staged large volumes of stolen data from organizations tied to Myanmar. The campaign targeted government ministries, the Office of the State Administrative Council, police, military entities, embassies, NGOs, and opposition groups, and the exposed material reportedly included documents, emails, browser profiles, audio recordings, military information, diplomatic files, and passport scans belonging to foreign citizens and diplomats.
Investigators found an FTP server used to host modular malware and temporarily store exfiltrated victim data, with the operation later shifting to HTTP infrastructure protected only by weak credentials while also using Google Drive, GitHub, and watercaltropinfo domains to support exfiltration and token management. Avast said the tooling and tradecraft overlapped with previously reported Mustang Panda and LuminousMoth activity, including Korplug variants, Delphi USB launchers, DLL sideloading chains, and Google Drive-based exfiltration, alongside additional components such as the Go-based JSX RAT, keyloggers, file monitors, audio capture tools, modular backdoors, and remote shell capabilities.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
On 2022-12-02, Avast published research describing the actor's infrastructure evolution from anonymous FTP in Malaysia to HTTP with weak credentials, along with use of Google Drive, GitHub, and watercaltropinfo domains. The report also detailed malware and tradecraft associated with the campaign, including Korplug variants, Delphi USB launchers, DLL sideloading chains, a Go-based RAT called JSX, keyloggers, file monitors, audio capture tools, and remote shell capabilities.
Avast reported a malware distribution and staging infrastructure linked with high confidence to a Mustang Panda-related threat actor targeting Myanmar government ministries, military and police organizations, embassies, NGOs, and opposition groups. The operation involved large-scale collection and temporary storage of exfiltrated victim data, including documents, emails, browser profiles, audio recordings, military information, diplomatic materials, and passport scans.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.