Camaro Dragon

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Camaro Dragon, a Chinese state-sponsored Advanced Persistent Threat (APT) group also known as Mustang Panda, Bronze President, Red Delta, Luminous Moth, Earth Preta, and Stately Taurus, has been operational since at least 2012. Checkpoint Research has analyzed a custom firmware image affiliated with Camaro Dragon that contains several malicious components, including a custom MIPS32 ELF implant dubbed "Horse Shell". This firmware implant was tailored for TP-Link routers and used in attacks on European foreign affairs entities. The overlap between Mustang Panda and Camaro Dragon suggests the router implant may have been deployed in other campaigns by the group. The Horse Shell's Command & Control (C&C) server IP address linked to Camaro Dragon activity is listed in Avast's report on the Mustang Panda campaign, indicating a connection between these groups. A notable incident involved a UK hospital employee who inadvertently brought Camaro Dragon malware back from a trip, leading to an infection of the entire corporate network. This highlights the potential for widespread damage from such threats. In a keynote presentation at CPX 2024, Maya Horowitz, Vice President of Research at Check Point, noted that USBs were the primary infection vector for major threat groups in 2023, including Camaro Dragon. Based on experiences with similar China-aligned threat actors and recent research on router implants attributed to BlackTech and Camaro Dragon, it is speculated that the attackers are deploying a network implant in victims' networks, possibly on vulnerable network appliances such as routers or gateways. Router compromise has become a highly valued strategy among big-name APTs like Slingshot, APT28, and Camaro Dragon. Even less sophisticated actors can leverage this method if target companies use outdated, unofficially supported, or small/home office router models.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Mustang Panda
6
Mustang Panda, also known as Earth Preta, Camaro Dragon, Bronze President, TA416, and Stately Taurus, is a China-aligned Advanced Persistent Threat (APT) group that has been active since at least 2012. The group has targeted various entities across the globe, including government organizations, thin
Stately Taurus
4
Stately Taurus, also known as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, is a sophisticated malware threat that has been active since at least 2012. This malicious software is associated with cyberespionage activities originating from China, and it has
LuminousMoth
3
LuminousMoth is a threat actor with ties to HoneyMyte, as evidenced by their similar targeting and Tactics, Techniques, and Procedures (TTPs). These include the use of DLL side-loading, Cobalt Strike loaders, and Chrome cookie stealers. The malware's operation begins with the execution of "explorer.
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Espionage
Implant
Backdoor
State Sponso...
Chinese
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Raspberry RobinUnspecified
2
Raspberry Robin, a sophisticated malware first disclosed by Red Canary in 2022, is known for its complex and interconnected ecosystem. Microsoft linked it to several other malware families such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and Truebot in late 2022, highlighting its role as a prec
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RedDeltaUnspecified
4
RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activ
Aqua BlizzardUnspecified
2
Aqua Blizzard, previously known as ACTINIUM, is a significant threat actor originating from Russia. Recently, Microsoft revamped its naming convention for threat groups, transitioning from all-cap names based on atomic elements to a two-name scheme inspired by storm terminology. Aqua Blizzard has be
GamaredonUnspecified
2
Gamaredon, a threat actor of Russian origin, has been implicated in a series of cyber-attacks targeting Ukraine through the use of a USB worm known as LitterDrifter. This Advanced Persistent Threat (APT) group is notorious for its malicious activities, which typically involve executing actions with
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Camaro Dragon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
TP-Link routers provide entry point for Chinese hackers
Unit42
2 months ago
ASEAN Entities in the Spotlight: Chinese APT Group Targeting
CERT-EU
a year ago
In Other News: Hospital Infected via USB Drive, EU Cybersecurity Rules, Free Security Tools
Securityaffairs
10 months ago
SmugX: Chinese APT uses HTML smuggling to target European Ministries and embassies
Unit42
6 months ago
Stately Taurus Targets the Philippines As Tensions Flare in the South Pacific
InfoSecurity-magazine
a year ago
USB Drives Used as Trojan Horses By Camaro Dragon
CERT-EU
10 months ago
Novel PlugX malware attacks target European diplomats
CERT-EU
10 months ago
Chinese Group Storm-0558 Hacked European Govt Emails, Microsoft
CERT-EU
7 months ago
Chinese state-backed hackers accidentally infected a European hospital with malware | #ukscams | #datingscams | #european | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting
CERT-EU
a year ago
Hackers have a P2P network of hacked TP-Link routers worldwide. Is your router a part of it?
CERT-EU
a year ago
Camaro Dragon Hackers Strike with USB-Driven Self-Propagating Malware
CERT-EU
a year ago
Cyber security week in review: May 19, 2023
CERT-EU
a year ago
Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized ​​TP-Link Firmware, RA Group Ransomware Copied Babuk
CERT-EU
10 months ago
Chinese Threat Actors Target Europe in SmugX Campaign
CERT-EU
a year ago
Camaro Dragon Hackers Strike with USB-Driven Self-Propagating Malware – GIXtools
CERT-EU
a year ago
This Week In Security:Camaro Dragon, RowPress, And RepoJacking
ESET
4 months ago
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
CERT-EU
6 months ago
How to protect corporate routers and firewalls against hacking
CERT-EU
8 months ago
Hackers Are Dropping USB Drives at Watering Holes | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
DARKReading
2 months ago
'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs