By AJ Vicens
Jan 15 (Reuters) – A Chinese-linked cyberespionage group targeted U.S. government and policy-related officials with Venezuela-themed phishing emails in the days after the U.S. operation to topple Venezuelan President Nicolas Maduro, cybersecurity researchers said Thursday.
The previously unreported campaign is the latest example of a long-running Chinese cyberespionage group known as “Mustang Panda” using headlines or key issues in a given country as a means to steal data and establish footholds in U.S. government entities.
In this case, the group referenced the U.S. seizure of Maduro and his wife, according to cybersecurity firm Acronis’ Threat Research Unit.
It uncovered the campaign after spotting a zip file “US now deciding what’s next for Venezuela” that was uploaded on January 5 to a publicly-accessible malware analysis service.
The file contained malware revealing code and infrastructure overlapped with prior cyberespionage campaigns carried out by a group tracked by industry researchers as Mustang Panda, the researchers said in a report on their findings.
The specific targets of the hacking campaign were not clear, according to the researchers, and it was not clear if any of them were compromised. If implanted, the malware would allow its operators to steal data from targeted computers and enable persistence for ongoing access, according to the analysis.
The researchers suspect the malware targeted U.S. government entities and unnamed policy-related entities based on technical indicators associated with the sample that was uploaded for analysis, and the types of organizations historically targeted by Mustang Panda.
The malware included in the zip file was compiled at 0655 GMT January 3, according to the analysis, just hours after the U.S. operation to seize Maduro began. A sample of the malware was uploaded to the sandbox at 0827 GMT January 5, the researchers said, the same day Maduro and his wife Cilia Flores pleaded not guilty to narcotics and weapons charges in a Manhattan courtroom.
Subhajeet Singha, a reverse engineer and malware analyst with Acronis and one of the authors of the analysis, said in an interview that the hackers in this case appeared to be moving quickly to take advantage of a rapidly-developing geopolitical situation of high interest, leaving some artifacts that helped link the malware to prior Mustang Panda operations.
“These guys were in haste,” Singha said, adding that the hackers’ work was not of the same quality as previous efforts.
The U.S. Department of Justice said in a January 2025 statement that Mustang Panda was a “group of hackers sponsored by the People’s Republic of China,” that has been paid to develop spying malware and penetrate target networks.
A spokesperson for the Chinese embassy in Washington said in an email: “China has consistently opposed and legally combated all forms of hacking activities, and will never encourage, support or condone cyberattacks. China firmly opposes the dissemination of false information about so-called ‘Chinese cyber threats’ for political purposes.”
The FBI declined to comment.
(Reporting by AJ Vicens in Detroit; Editing by Chris Sanders and Jamie Freed)
Disclaimer: This report is auto generated from the Reuters news service. ThePrint holds no responsibility for its content.