• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
pubload and pubshell malware used in mustang panda's tibet specific attack

PUBLOAD and Pubshell Malware Used in Mustang Panda’s Tibet-Specific Attack

You are here: Home / General Cyber Security News / PUBLOAD and Pubshell Malware Used in Mustang Panda’s Tibet-Specific Attack
June 27, 2025

A China-linked threat actor known as Mustang Panda has been attributed to a new cyber espionage campaign directed against the Tibetan community.

The spear-phishing attacks leveraged topics related to Tibet, such as the 9th World Parliamentarians’ Convention on Tibet (WPCT), China’s education policy in the Tibet Autonomous Region (TAR), and a recently published book by the 14th Dalai Lama, according to IBM X-Force.

The cybersecurity division of the technology company said it observed the campaign earlier this month, with the attacks leading to the deployment of a known Mustang Panda malware called PUBLOAD. It’s tracking the threat actor under the name Hive0154.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


The attack chains employ Tibet-themed lures to distribute a malicious archive containing a benign Microsoft Word file, along with articles reproduced by Tibetan websites and photos from WPCT, into opening an executable that’s disguised as a document.

Cybersecurity

The executable, as observed in prior Mustang Panda attacks, leverages DLL side-loading to launch a malicious DLL dubbed Claimloader that’s then used to deploy PUBLOAD, a downloader malware that’s responsible for contacting a remote server and fetching a next-stage payload dubbed Pubshell.

Pubshell is a “light-weight backdoor facilitating immediate access to the machine via a reverse shell,” security researchers Golo Mühr and Joshua Chung said in an analysis published this week.

At this stage, it’s worth mentioning some of the nomenclature differences: IBM has given the name Claimloader to the custom stager first documented by Cisco Talos in May 2022 and PUBLOAD to the first-stage shellcode downloader, whereas Trend Micro identifies both the stager and the downloader as PUBLOAD. Team T5, similarly, tracks the two components collectively as NoFive.

The development comes weeks after IBM’s activity which it said is the work of a Hive0154 sub-cluster targeting the United States, Philippines, Pakistan, and Taiwan from late 2024 to early 2025.

This activity, like in the case of those targeting Tibet, utilizes weaponized archives originating from spear-phishing emails to target government, military, and diplomatic entities.

The digital missives contain links to Google Drive URLs that download the booby-trapped ZIP or RAR archives upon clicking, ultimately resulting in the deployment of TONESHELL in 2024 and PUBLOAD starting this year via Claimloader.

TONESHELL, another oft-used Mustang Panda malware, functions similarly to Pubshell in that it’s also used to create a reverse shell and execute commands on the compromised host.

“The Pubshell implementation of the reverse shell via anonymous pipes is almost identical to TONESHELL,” the researchers said. “However, instead of running a new thread to immediately return any results, Pubshell requires an additional command to return command results. It also only supports running ‘cmd.exe’ as a shell.”

Cybersecurity

“In several ways, Pubload and Pubshell appear to be an independently developed ‘lite version’ of TONESHELL, with less sophistication and clear code overlaps.”

The attacks targeted Taiwan have been characterized by the use of a USB worm called HIUPAN (aka MISTCLOAK or U2DiskWatch), which is then leveraged to spread Claimloader and PUBLOAD through USB devices.

“Hive0154 remains a highly capable threat actor with multiple active sub-clusters and frequent development cycles,” the researchers said.

“China-aligned groups like Hive0154 will continue to refine their large malware arsenal and retain a focus on East Asia-based organizations in the private and public sectors. Their wide array of tooling, frequent development cycles, and USB worm-based malware distribution highlights them as a sophisticated threat actor.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Previous Post: «business case for agentic ai soc analysts Business Case for Agentic AI SOC Analysts
Next Post: Over 1,000 SOHO Devices Hacked in China-linked LapDogs Cyber Espionage Campaign over 1,000 soho devices hacked in china linked lapdogs cyber espionage»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
  • PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution
  • Securing Data in the AI Era
  • Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
  • Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads
  • Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord
  • Four Arrested in £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • What Security Leaders Need to Know About AI Governance for SaaS

Copyright © TheCyberSecurity.News, All Rights Reserved.