An unidentified hacking group is believed to have implanted a Cobalt Strike backdoor inside a localized font package that is downloadable on the President of Myanmar’s website. The initial incident was discovered by security researchers working for ESET and reported on June 2nd. The font package contained a file called Acrobat.dll containing a loader for the Cobalt Strike Beacon. If the DLL file is executed, it would establish Command and Control (C2) communications to the attacker’s server at 95.217.1[.]81. There is still no attribution as to which group was responsible for the attack, but the general attribution is believed to be a Chinese state-sponsored group due to similarities with past campaigns attributed to the threat group known as Mustang Panda or RedEcho.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased