Ransomware
Hodur is a new Korplug (also known as PlugX) variant. Developed by APT group Mustang Panda, it’s used for espionage. Hodur is spread through phishing campaigns that use current events to lure victims into running the payload.
Hodur is distributed through spear phishing emails with malicious attachments or links. These emails often reference current events like geopolitical conflicts or public health crises to make them more believable. Once the victim opens the attachment or clicks the link, the malware is executed and gets a foothold in the system.
Technical Capabilities
Upon execution, Hodur gives attackers remote access to the system. They can run commands, manage files, and exfiltrate data. The malware uses control-flow obfuscation and encrypted channels to evade detection and analysis.
Evolution and Adaptation
Mustang Panda has shown they can rapidly update Hodur to use current events to make their phishing more effective. The group continues to develop and refine Hodur’s capabilities to improve their espionage operations.
Use email filtering to detect and block phishing.
Keep systems up to date and patched.
Use advanced endpoint protection to detect and prevent malware execution.
Conduct user training to educate users about phishing and social engineering.
