Chinese Hackers Abuse Google Drive to Drop Malware on Govt Networks

Government, research, and academic institutions worldwide were targeted by a spearphishing campaign by state-funded Chinese hackers. As part of this campaign, hackers deliver custom malware that remains hidden in Google Drive.

Researchers attribute the attacks to a group of cyber espionage hackers known as Earth Preta (aka Mustang Panda, Bronze President, TA416) an APT group, and Trend Micro researchers monitored the operation of this group between March and October 2022.


In an attempt to deceive their targets into downloading custom malware from Google Drive, the Chinese hackers used malicious emails with several lures via Google accounts.


There were mainly organizations in the following countries targeted by the threat group:-

  • Australia
  • Japan
  • Taiwan
  • Myanmar
  • Philippines

A majority of the messages which is around 84% that hackers sent to government and legal organizations had geopolitical themes and subjects.

Among multiple organizations here below we have mentioned the organizations that are mainly targeted:-

  • Government
  • Legal
  • Education
  • Business
  • Economy
  • Politics

Infection Chain

According to the Trend Micro report, Embedded links are linked to a Google Drive or Dropbox folder in order to circumvent security mechanisms. The two platforms have a good reputation and are legitimate, as a result, there is less suspicion surrounding them.

These links will take you to compressed files such as the ones listed below:-

  • RAR
  • ZIP
  • JAR

Among the malware strains that are contained in the files are the following:-

  • ToneShell
  • ToneIns
  • PubLoad

While this malware campaign uses the above-mentioned three different strains of malware in order to target the victim.

If the subject of the email is empty or if the subject has the same name as the malicious archive, then it is likely to be a spam email. There were many malware-loading habits used by hackers, but side-loading DLLs was the most common approach. 

Stagers like PubLoad do a great job of creating persistence through the following means: –

  • Adding registry keys 
  • Creating scheduled tasks
  • Decrypting shellcode
  • Handling command and control (C2) communications

With the introduction of PubLoad, Mustang Panda has taken steps to further improve the tool by including more sophisticated mechanisms to combat analysis.

In the recent campaign, ToneIns was used as the main backdoor to install ToneShell. ToneShell is loaded onto the compromised system in order to evade detection and load obfuscated code in order to establish persistence.

The ToneShell backdoor loads directly into memory and functions as a standalone backdoor. Implementing custom exception handlers, provides obfuscation of the flow of code in order to obscure the code flow.


Mustang Panda TTPs have been used in this recent campaign, which is similar to those reported by Secureworks this year. As you can see from the latest campaign, hackers have acquired a better set of tools and are able to expand their capabilities enormously. 

By doing so, it makes it easier for Chinese hackers to gather intelligence about their targets and to breach their security. 

Despite having periods of concentrated activity, ESET’s March 2022 report revealed that Mustang Panda is a cyberespionage threat to the global industry regardless of its short-term bursts of focused activity across:-

  • Southeast Asia
  • South Europe
  • Africa


Experts suggest the following recommendations as part of a mitigation plan for an organization:-

  • Engage partners and employees in phishing awareness training on a continuous basis.
  • Before opening an email, make sure you verify twice the sender as well as the subject.
  • Always use strong and unique passwords.
  • Enable multi-factor protection solutions.
  • Ensure that you are using an antivirus program that is reputed.
  • Make sure you change your password frequently.

Azure Active Directory Security – Download Free E-Book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.