Pen testing
C2
Hodur is a new Korplug (also known as PlugX) variant. Developed by APT group Mustang Panda, it’s used for espionage. Hodur is spread through phishing campaigns that use current events to lure victims into running the payload.
Hodur is distributed through spear phishing emails with malicious attachments or links. These emails often reference current events like geopolitical conflicts or public health crises to make them more believable. Once the victim opens the attachment or clicks the link, the malware is executed and gets a foothold in the system.
Technical Capabilities
Upon execution, Hodur gives attackers remote access to the system. They can run commands, manage files, and exfiltrate data. The malware uses control-flow obfuscation and encrypted channels to evade detection and analysis.
Evolution and Adaptation
Mustang Panda has shown they can rapidly update Hodur to use current events to make their phishing more effective. The group continues to develop and refine Hodur’s capabilities to improve their espionage operations.
Hodur is related to previous Korplug variants like THOR. While it has the same core functionality as those, Hodur has advanced obfuscation and updated C2, so it’s different from previous versions.
Use email filtering to detect and block phishing.
Keep systems up to date and patched.
Use advanced endpoint protection to detect and prevent malware execution.
Conduct user training to educate users about phishing and social engineering.
Hodur targets research institutions, internet service providers and diplomatic missions, mainly in East and Southeast Asia. But entities in Europe and Africa have also been hit, reflecting Mustang Panda’s wide targeting scope.
Hodur is attributed to Mustang Panda, a China-based APT group also known as TA416, RedDelta or PKPLUG. This group targets governmental and non-governmental organizations and has been conducting cyber espionage campaigns across different regions.
