Two Chinese APT groups coordinated cyberattacks against ASEAN-affiliated entities to coincide with the ASEAN-Australia Special Summit in March 2024, while leaked documents from Chinese contractor iSoon revealed that the Tianfu Cup hacking contest feeds zero-day exploits directly to China’s Ministry of Public Security.
Stories Covered
Mustang Panda and Earth Krahang Target ASEAN Nations with DLL-Sideloading Malware Packages
Palo Alto Networks Unit 42 documented coordinated campaigns by two China-linked APT groups against entities affiliated with the Association of Southeast Asian Nations (ASEAN). Mustang Panda — also tracked as Stately Taurus, Camaro Dragon, and Earth Preta — created two malware packages timed to the ASEAN-Australia Special Summit (March 4–6, 2024), targeting entities in Myanmar, the Philippines, Japan, and Singapore via phishing emails. The first package, TalkingPointsForChina.zip, contained a renamed legitimate executable: TalkingPointsForChina.exe was actually a signed copy of KeyScrambler.exe, an anti-keylogging tool developed by QFX Software. Threat actors exploit signed legitimate binaries for the trust factor — an executable signed by a known software company bypasses casual inspection and some endpoint defenses. Executing it sideloaded a malicious DLL (KeyScrambler.ie.dll), which decrypted shellcode assessed as PlugX malware and established persistence via an auto-run registry entry. The second package, note_pso.scr (a screensaver executable), targeted an entity in Myanmar — with “PSO” likely referencing Personal Staff Officer, a rank in the Myanmar military. This package downloaded a renamed copy of EA Core Server (signed by Electronic Arts) as WindowsUpdate.exe, paired with a malicious sideloaded eacore.dll that replaced the legitimate supporting library. Both packages exploit the same technique: a signed, trusted executable loads a malicious DLL through sideloading, which then pulls additional payloads into memory.
DLL sideloading works by placing a malicious DLL in the same directory as a legitimate executable that loads supporting libraries by name rather than by verified path. When the signed program launches, it loads the attacker’s DLL instead of the real one, executing the malicious code under the cover of a trusted process. This approach reduces detection friction: the parent process is signed, the file on disk looks legitimate at a glance, and the actual payload often runs only in memory. Phishing remains the preferred delivery mechanism because it eliminates the need to burn a zero-day against patched infrastructure — a single click from a targeted user provides the entry point. The timing of malware package creation (March 4–5) precisely overlapping the summit dates suggests deliberate operational planning around geopolitically significant events where ASEAN government personnel would be exchanging relevant documents.
A second unnamed Chinese APT cluster (attributed by infrastructure overlap to attacks originating in Cambodia) was also observed targeting ASEAN-affiliated entities. This group, tracked as Earth Krahang and active since early 2022, specializes in using compromised government infrastructure as an attack platform — proxying attack traffic through government servers, hosting malicious payloads, and sending spear-phishing emails from legitimately compromised government email accounts. Once inside a network, Earth Krahang builds VPN servers on compromised public-facing hosts to tunnel into private networks and conducts brute-force attacks on email credentials for exfiltration. Attribution to the same national-state actor was made via shared C2 infrastructure: when malware from two different campaigns reaches out to the same command-and-control servers, that overlap ties the operations together regardless of the targeting differences.
iSoon Leak Exposes China’s Cyber-Contractor Ecosystem and Tianfu Cup as Zero-Day Pipeline
Documents leaked on GitHub from Chinese contractor iSoon (also known as Anxun) provided rare public visibility into how China structures and outsources its state cyber operations. The documents showed that iSoon sells a portfolio of offensive tools — including the ShadowPad RAT and Winnti (also called Treadstone) — to multiple Chinese government entities. The model mirrors a commercial software supply chain: the government does not build or maintain these tools in-house but purchases capabilities from private firms that specialize in developing and maintaining them. The contractors operate like digital private military companies — some had been implicated in prior campaigns including the 2019 Poison Carp operation against Tibetan groups and a 2022 breach of Com 100. What the documents also revealed is that some of these firms conduct attacks independently without explicit government instruction, hoping that a successful operation will attract a paying government customer. This creates an uncontrolled layer in the offensive ecosystem: contractors acting on their own initiative may inadvertently burn ongoing government APT operations by triggering detections at targets already silently compromised by a different group.
The most structurally significant detail in the leaked documents concerns the Tianfu Cup, China’s state-run equivalent of Pwn2Own. Where Pwn2Own is a commercial hacking contest where researchers submit exploits to vendors who pay bounties and patch the vulnerabilities, the Tianfu Cup feeds in the opposite direction: when submissions include full exploit chains, China’s Ministry of Public Security receives the proof-of-concept code and disseminates it to private firms for further development and deployment. The contest functions as a pipeline that converts competitive hacking research into government-stockpiled zero-days rather than vendor patches. By contrast, Pwn2Own 2024 paid $200,000 for a Tesla hack, $130,000 for a VMware Workstation guest-to-host escape, and $60,000 each for Chrome and Safari exploits — all of which go to vendors for remediation. The structural difference is consequential: one system converts discovered vulnerabilities into patches; the other converts them into weapons. The iSoon leak makes clear that China’s offensive cyber capacity is not purely internal — it is an ecosystem of contractors, mercenaries, and competition-fed exploit pipelines operating in parallel with and sometimes independently from state APT groups.





