Chinese APT Hackers Target Organizations Using Korplug Loaders and Malicious USB Drives

Advanced persistent threat (APT) groups with ties to China have become persistent players in the cyber espionage landscape, with a special emphasis on European governmental and industrial entities, according to a thorough disclosure from ESET’s APT Activity Report for Q4 2024 to Q1 2025.

The report, covering activities from October 2024 to March 2025, highlights the sophisticated tactics and tools employed by these threat actors to infiltrate sensitive networks.

Among the most active groups, Mustang Panda has been identified as a key player, targeting governmental institutions and maritime transportation companies with a combination of Korplug loaders and malicious USB drives.

These loaders, often used to deploy secondary payloads, enable stealthy persistence on compromised systems, while USB drives serve as an effective infection vector, exploiting physical access to air-gapped environments.

This dual-pronged approach underscores the group’s adaptability in bypassing conventional security measures, posing a significant risk to critical infrastructure sectors.

Persistent Espionage Campaigns

Further intensifying the threat landscape, other China-aligned groups such as DigitalRecyclers and PerplexedGoblin have also been actively targeting European entities, leveraging advanced backdoors and anonymization networks to maintain covert operations.

DigitalRecyclers, for instance, has been observed deploying RClient, HydroRShell, and GiftBox backdoors against EU governmental bodies, using the KMA VPN network to obfuscate their command-and-control (C2) communications.

Meanwhile, PerplexedGoblin introduced a new espionage backdoor named NanoSlate, specifically targeting a Central European government entity, showcasing their continuous evolution in malware development.

Additionally, Webworm exploited SoftEther VPN to compromise a Serbian government organization, reflecting a broader trend among these groups to utilize legitimate tools for malicious purposes.

Innovative Techniques Amplify Threats

ESET researchers also noted a ShadowPad cluster potentially engaging in ransomware for financial gain alongside espionage, while Worok frequently employed shared toolsets like HDMan, PhantomNet, and Sonifake, highlighting the complex attribution challenges in tracking overlapping campaigns.

These diverse and innovative techniques illustrate the persistent dedication of China-aligned APTs to espionage, often prioritizing long-term access over immediate financial returns.

The ESET report emphasizes that the highlighted operations are merely a snapshot of the broader threat landscape, with intelligence derived from proprietary telemetry data and verified by expert researchers.

The sustained focus on European targets by these APT groups signals a strategic intent to gather sensitive political and industrial intelligence, potentially influencing geopolitical dynamics.

As these actors refine their methods-combining physical and digital attack vectors like malicious USBs and Korplug loaders-organizations must bolster endpoint security, enforce strict removable media policies, and enhance threat intelligence sharing to mitigate risks.

The evolving sophistication of these campaigns, as documented by ESET from late 2024 to early 2025, serves as a stark reminder of the persistent and adaptive nature of state-aligned cyber threats in the global arena.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!