Camaro Dragon

Threat Actor updated 15 hours ago (2024-10-17T12:04:25.426Z)

Download STIX

Preview STIX

Camaro Dragon, a Chinese state-sponsored threat actor also known as Mustang Panda, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Stately Taurus, has been identified as a significant cybersecurity concern. The group has been active since at least 2012 and is known for its sophisticated attacks on various entities, including government agencies in Southeast Asia and Europe. Checkpoint Research discovered a custom firmware image affiliated with Camaro Dragon, which contained several malicious components, including a custom MIPS32 ELF implant dubbed "Horse Shell." This malicious firmware was specifically tailored for TP-Link routers, suggesting a strategic focus on network devices. The group's activities have extended to the use of malware-loaded USB drives as a primary infection vector, a strategy that experienced a revival during and in the wake of the COVID-19 pandemic. Notably, in 2023, the group exploited TP-Link routers via a malicious firmware implant. Furthermore, a server related to Camaro Dragon activity was found hosting the implant, with the IP address resolved to one listed in Avast's report on the Mustang Panda campaign, indicating significant overlaps between Mustang Panda and Camaro Dragon. Camaro Dragon's reach has not been limited to government entities. In a notable incident, an employee from a UK hospital unknowingly brought back Camaro Dragon malware after a colleague was infected, leading to the entire corporate network of the hospital being compromised. This highlights the threat actor's ability to infiltrate various sectors, posing a serious risk to both public and private entities. The ongoing analysis of this group's tactics and techniques aims to provide a better understanding of how such actors utilize malicious firmware implants in their attacks, thereby improving defensive strategies.

Description last updated: 2024-10-17T11:58:17.340Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Mustang Panda is a possible alias for Camaro Dragon. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif	6
RedDelta is a possible alias for Camaro Dragon. RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activ	4
Stately Taurus is a possible alias for Camaro Dragon. Stately Taurus, also known as Mustang Panda, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta, is a sophisticated malware that has been used in cyber-espionage campaigns primarily targeting government entities in Southeast Asia. It is believed to be associated with China's	4
LuminousMoth is a possible alias for Camaro Dragon. LuminousMoth is a threat actor group with potential affiliations to a Chinese-speaking entity, exhibiting similar targeting and Tactics, Techniques, and Procedures (TTPs) as the HoneyMyte group. These similarities include the use of DLL side-loading, Cobalt Strike loaders, and a component akin to Lu	3
Earth Preta is a possible alias for Camaro Dragon. Earth Preta, also known as Mustang Panda or Stately Taurus, is a high-profile threat actor group that has been actively executing cyberattacks with malicious intent. Their activities have been particularly prevalent in the Asia Pacific (APAC) region and Europe. The group employs a variety of tools a	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Implant

Chinese

Backdoor

State Sponso...

Espionage

Firmware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Raspberry Robin Malware is associated with Camaro Dragon. Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obs	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Aqua Blizzard Threat Actor is associated with Camaro Dragon. Aqua Blizzard, previously known as ACTINIUM, is a significant threat actor originating from Russia. Recently, Microsoft revamped its naming convention for threat groups, transitioning from all-cap names based on atomic elements to a two-name scheme inspired by storm terminology. Aqua Blizzard has be	Unspecified	2
The Gamaredon Threat Actor is associated with Camaro Dragon. Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been identified as one of the most active threat actors in Ukraine, particularly since Russia's invasion of Ukraine in 2022. The group has been known to employ a variety of tools and techniques for cyberespionage, including downloaders	Unspecified	2

Source Document References

Information about the Camaro Dragon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a month ago	Microsoft VS Code Undermined in Asian Spy Attack
DARKReading	a month ago	Mustang Panda Feeds Worm-Driven USB Attack Strategy
Unit42	a month ago	Chinese APT Abuses VSCode to Target Government in Asia
InfoSecurity-magazine	2 months ago	US Bipartisan Committee Urges Investigation Into Chinese Wi-Fi Routers
InfoSecurity-magazine	3 months ago	Eldorado Ransomware Strikes Windows and Linux Networks
InfoSecurity-magazine	7 months ago	Chinese Hackers Target ASEAN Entities in Espionage Campaign
Unit42	7 months ago	ASEAN Entities in the Spotlight: Chinese APT Group Targeting
CERT-EU	7 months ago	'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	7 months ago	'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs
ESET	9 months ago	NSPX30: A sophisticated AitM-enabled implant evolving since 2005
ESET	9 months ago	NSPX30: A sophisticated AitM-enabled implant evolving since 2005
CERT-EU	a year ago	How to protect corporate routers and firewalls against hacking
Unit42	a year ago	Stately Taurus Targets the Philippines As Tensions Flare in the South Pacific
CERT-EU	a year ago	Chinese state-backed hackers accidentally infected a European hospital with malware \| #ukscams \| #datingscams \| #european \| #datingscams \| #love \| #relationships \| #scams \| #pof \| #match.com \| #dating \| National Cyber Security Consulting
CERT-EU	a year ago	Hackers Are Dropping USB Drives at Watering Holes \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Les dernières cyberattaques détectées \| 27 juin 2023
CERT-EU	a year ago	Camaro Dragon Hackers Strike with USB-Driven Self-Propagating Malware – GIXtools
CERT-EU	a year ago	Leftover Links 02/07/2023: Amazon Antitrust Woes, Windows Security Breaches
CERT-EU	a year ago	Chinese state-backed hackers accidentally infected a European hospital with malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Checkpoint	a year ago	22nd May – Threat Intelligence Report - Check Point Research