Camaro Dragon

Threat Actor updated 23 days ago (2024-11-29T14:48:03.106Z)
Download STIX
Preview STIX
Camaro Dragon, a Chinese state-sponsored threat actor also known as Mustang Panda, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Stately Taurus, has been identified as a significant cybersecurity concern. The group has been active since at least 2012 and is known for its sophisticated attacks on various entities, including government agencies in Southeast Asia and Europe. Checkpoint Research discovered a custom firmware image affiliated with Camaro Dragon, which contained several malicious components, including a custom MIPS32 ELF implant dubbed "Horse Shell." This malicious firmware was specifically tailored for TP-Link routers, suggesting a strategic focus on network devices. The group's activities have extended to the use of malware-loaded USB drives as a primary infection vector, a strategy that experienced a revival during and in the wake of the COVID-19 pandemic. Notably, in 2023, the group exploited TP-Link routers via a malicious firmware implant. Furthermore, a server related to Camaro Dragon activity was found hosting the implant, with the IP address resolved to one listed in Avast's report on the Mustang Panda campaign, indicating significant overlaps between Mustang Panda and Camaro Dragon. Camaro Dragon's reach has not been limited to government entities. In a notable incident, an employee from a UK hospital unknowingly brought back Camaro Dragon malware after a colleague was infected, leading to the entire corporate network of the hospital being compromised. This highlights the threat actor's ability to infiltrate various sectors, posing a serious risk to both public and private entities. The ongoing analysis of this group's tactics and techniques aims to provide a better understanding of how such actors utilize malicious firmware implants in their attacks, thereby improving defensive strategies.
Description last updated: 2024-10-17T11:58:17.340Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Mustang Panda is a possible alias for Camaro Dragon. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif
6
RedDelta is a possible alias for Camaro Dragon. RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activ
4
Stately Taurus is a possible alias for Camaro Dragon. Stately Taurus, also known as Mustang Panda, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta, is a sophisticated malware that has been used in cyber-espionage campaigns primarily targeting government entities in Southeast Asia. It is believed to be associated with China's
4
LuminousMoth is a possible alias for Camaro Dragon. LuminousMoth is a threat actor group with potential affiliations to a Chinese-speaking entity, exhibiting similar targeting and Tactics, Techniques, and Procedures (TTPs) as the HoneyMyte group. These similarities include the use of DLL side-loading, Cobalt Strike loaders, and a component akin to Lu
3
Earth Preta is a possible alias for Camaro Dragon. Earth Preta, also known as Mustang Panda or Stately Taurus, is a high-profile threat actor group that has been actively executing cyberattacks with malicious intent. Their activities have been particularly prevalent in the Asia Pacific (APAC) region and Europe. The group employs a variety of tools a
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Implant
Malware
Chinese
Backdoor
State Sponso...
Espionage
Tp
Firmware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Raspberry Robin Malware is associated with Camaro Dragon. Raspberry Robin is a sophisticated malware that uses advanced techniques to infiltrate and exploit computer systems. The malicious software is designed to stealthily enter a system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can wreak havoc by stUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Aqua Blizzard Threat Actor is associated with Camaro Dragon. Aqua Blizzard, previously known as ACTINIUM, is a significant threat actor originating from Russia. Recently, Microsoft revamped its naming convention for threat groups, transitioning from all-cap names based on atomic elements to a two-name scheme inspired by storm terminology. Aqua Blizzard has beUnspecified
2
The Gamaredon Threat Actor is associated with Camaro Dragon. Gamaredon, a Russia-aligned threat actor, has emerged as one of the most active Advanced Persistent Threat (APT) groups in Ukraine, particularly since Russia's 2022 invasion of the country. Composed of regular officers from the Russian Federal Security Service (FSB) and some former law enforcement oUnspecified
2
Source Document References
Information about the Camaro Dragon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
18 hours ago
DARKReading
3 months ago
DARKReading
3 months ago
Unit42
3 months ago
InfoSecurity-magazine
4 months ago
InfoSecurity-magazine
5 months ago
InfoSecurity-magazine
9 months ago
Unit42
9 months ago
CERT-EU
9 months ago
DARKReading
9 months ago
ESET
a year ago
ESET
a year ago
CERT-EU
a year ago
Unit42
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago