In a concerning development for cybersecurity professionals worldwide, a sophisticated Chinese advanced persistent threat (APT) group known as Mustang Panda has intensified its espionage campaigns across Europe, primarily targeting governmental institutions and maritime transportation companies.
The group has been leveraging Korplug loaders and malicious USB drives as primary attack vectors, demonstrating a persistent and evolving threat to organizations across multiple countries including Norway, the Netherlands, the UK, Bulgaria, Greece, Denmark, Poland, and Hungary.
The attackers have shown remarkable adaptability, continuously experimenting with various implementations of Korplug malware loaders based on different programming languages and file formats.
.png
)
This technical versatility allows them to evade detection while maintaining persistence in compromised environments.
According to recent intelligence reports, Mustang Panda remains the most active China-aligned APT group operating in Europe, with consistent campaigns observed throughout late 2024 and early 2025.
Particularly concerning is the group’s continued use of malicious USB drives for initial infection, a technique that bypasses network security controls by exploiting the physical vector.
This approach is especially effective against organizations with air-gapped systems or strict network security protocols, as it relies on the human element rather than network vulnerabilities.
WeLiveSecurity researchers identified significant evolution in the group’s toolset, noting that Mustang Panda has expanded their arsenal to include Delphi-, Go-, and Nim-based implementations of Korplug loaders.
This multi-language approach enables the attackers to tailor their malware to specific target environments and complicates detection efforts by security software that may be trained to identify more common variants.
Korplug Loader Technical Evolution
The technical sophistication of the Korplug loaders deserves particular attention.
Traditional Korplug implementations were typically written in C++, but Mustang Panda’s shift to alternative programming languages represents a deliberate strategy to evade signature-based detections.
The Nim-based variant, for example, leverages the relatively uncommon nature of Nim malware in enterprise environments, potentially bypassing security solutions that focus on more common malicious code patterns.
When the malware is delivered via USB drive, it typically employs a technique known as T1091 (Replication Through Removable Media) in the MITRE ATT&CK framework.
The execution chain begins when a user inserts the infected drive, triggering an autorun feature or enticing the victim to manually execute a disguised file.
Once executed, the initial loader establishes persistence and downloads the Korplug backdoor, which provides the attackers with remote access capabilities.
The Korplug backdoor itself maintains a sophisticated command and control infrastructure, using various obfuscation techniques to hide its network communications.
Most notably, recent variants have incorporated MSC downloaders alongside the traditional Korplug functionality, expanding the attackers’ capabilities to retrieve additional payloads post-compromise.
The infection chain from USB insertion to Korplug deployment shows the sequential steps of the attack methodology.
Security teams are advised to implement strict USB device control policies, regularly update threat intelligence feeds, and deploy advanced endpoint protection solutions capable of detecting behavior-based indicators of compromise rather than relying solely on signature-based detection mechanisms.
Organizations in the targeted sectors, particularly governmental institutions and maritime transportation companies, should exercise heightened vigilance and consider implementing security awareness training focused on physical security threats like malicious removable media.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
