Stately Taurus

Malware updated a month ago (2024-10-17T13:02:06.727Z)

Download STIX

Preview STIX

Stately Taurus, also known as Mustang Panda, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta, is a sophisticated malware that has been used in cyber-espionage campaigns primarily targeting government entities in Southeast Asia. It is believed to be associated with China's Advanced Persistent Threat (APT) activities, based on the analysis by Palo Alto Networks' Unit 42. The malware has been particularly effective due to its use of USB drives as a primary infection vector, a strategy which saw a resurgence during and following the COVID-19 pandemic. The threat actor behind Stately Taurus has been linked with moderate-high confidence to CL-STA-0044, as per the research conducted by various cybersecurity firms including Trend Micro, Talos, and Cyble. Furthermore, there have been observed connections between a component of Stately Taurus named Listener.bat and another malicious software known as ShadowPad. Both these pieces of malware were found to originate from the same network session, indicating potential collaboration or shared origins. In an intriguing development, certain operations previously attributed to Stately Taurus, such as those of CeranaKeeper, are now being tracked separately due to distinct activity clusters. Despite these complexities, it is clear that Stately Taurus remains a significant threat. Its innovative tactics, techniques, and procedures (TTPs), including the use of malware-loaded USB drives and backdoor exploits like ToneShell and ShadowPad, underscore the need for robust cybersecurity measures and vigilance against this evolving menace.

Description last updated: 2024-10-17T12:17:15.113Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Mustang Panda is a possible alias for Stately Taurus. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif	6
Camaro Dragon is a possible alias for Stately Taurus. Camaro Dragon, a Chinese state-sponsored threat actor also known as Mustang Panda, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Stately Taurus, has been identified as a significant cybersecurity concern. The group has been active since at least 2012 and is known for its sophisticated	4
Earth Preta is a possible alias for Stately Taurus. Earth Preta, also known as Mustang Panda or Stately Taurus, is a high-profile threat actor group that has been actively executing cyberattacks with malicious intent. Their activities have been particularly prevalent in the Asia Pacific (APAC) region and Europe. The group employs a variety of tools a	3
Alloy Taurus is a possible alias for Stately Taurus. Alloy Taurus, a threat actor group, has been identified as a significant cybersecurity concern due to its persistent attempts at cyberespionage, primarily targeting the government sector in Southeast Asia. The activity of this group was first observed in early 2022 and continued throughout 2023, dur	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Government

Apt

Chinese

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Raspberry Robin Malware is associated with Stately Taurus. Raspberry Robin is a sophisticated malware that uses advanced techniques to infiltrate and exploit computer systems. The malicious software is designed to stealthily enter a system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can wreak havoc by st	Unspecified	2
The Iron Taurus Malware is associated with Stately Taurus. Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio	Unspecified	2
The Gelsemium Malware is associated with Stately Taurus. Gelsemium is a form of malware, short for malicious software, designed to exploit and damage computer systems. It can infiltrate systems via suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Gelsemium can perform a variety of harmful actions such as stealing	is related to	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Gamaredon Threat Actor is associated with Stately Taurus. Gamaredon, a Russia-aligned threat actor, has emerged as one of the most active Advanced Persistent Threat (APT) groups in Ukraine, particularly since Russia's 2022 invasion of the country. Composed of regular officers from the Russian Federal Security Service (FSB) and some former law enforcement o	Unspecified	2
The Aqua Blizzard Threat Actor is associated with Stately Taurus. Aqua Blizzard, previously known as ACTINIUM, is a significant threat actor originating from Russia. Recently, Microsoft revamped its naming convention for threat groups, transitioning from all-cap names based on atomic elements to a two-name scheme inspired by storm terminology. Aqua Blizzard has be	Unspecified	2
The APT27 Threat Actor is associated with Stately Taurus. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the	Unspecified	2

Source Document References

Information about the Stately Taurus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	2 months ago	Separating the bee from the panda: CeranaKeeper making a beeline for Thailand
DARKReading	2 months ago	Python-Based Malware Slithers Into Systems via Legit VS Code
DARKReading	2 months ago	Microsoft VS Code Undermined in Asian Spy Attack
DARKReading	2 months ago	Mustang Panda Feeds Worm-Driven USB Attack Strategy
Unit42	2 months ago	Chinese APT Abuses VSCode to Target Government in Asia
DARKReading	6 months ago	Chinese Threat Clusters Triple-Team High-Profile Asian Government Org
BankInfoSecurity	6 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	6 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
InfoSecurity-magazine	8 months ago	Chinese Hackers Target ASEAN Entities in Espionage Campaign
Unit42	8 months ago	ASEAN Entities in the Spotlight: Chinese APT Group Targeting
CERT-EU	8 months ago	'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	8 months ago	'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs
CERT-EU	9 months ago	Sophisticated PlugX backdoor variant leveraged in Mustang Panda attacks
CERT-EU	10 months ago	Philippines turns to hackers for help as US warns of China cyberthreat
CERT-EU	10 months ago	Philippines Turn to Hackers For Cybersecurity Help as Tensions With China Rise \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	As China cyber threat grows, Philippines’ understaffed security team turns to hackers for help \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	a year ago	Amid Military Buildup, China Deploys Mustang Panda in the Philippines
BankInfoSecurity	a year ago	Breach Roundup: Filipinos Under Fire From 'Mustang Panda'
DARKReading	a year ago	Amid Military Buildup, China Deploys Mustang Panda in the Philippines
CERT-EU	a year ago	Stately Taurus targets the Philippines as tensions flare in the South Pacific - Cyber Security Review