September 26, 2023

Researchers have spotted the Chinese state-sponsored APT group Mustang Panda, which has been associated with a series of targeted attacks exploiting TP-Link routers.

The campaign has been active since January and is aimed at European foreign affairs entities by using malicious firmware images that are designed explicitly for TP-Link routers. 

The implants contain a custom backdoor dubbed Horse Shell, which enables attackers to maintain persistent access, develop anonymous infrastructure, and lateral movement in compromised networks. 


The unique aspect of the backdoor implant is that it can be integrated into various firmware by different vendors, thus, increasing the scope of attacks.

The Horse Shell backdoor is written in C++ and compiled for MIPS32-based operating systems. The system information collected by Horse Shell includes user name, system name, OS version, OS time, CPU architecture, IP address, MAC address, and number of active connections.

The backdoor provides various functionalities, including remote Shell, Tunneling, and File transfer.

While the deployment of malicious firmware images is still unclear, it is estimated that the attackers gained access to routers by either scanning known vulnerabilities or using default and guessable passwords.


The discovery of Mustang Panda’s malicious implant on TP-Link routers highlights the need for enhanced endpoint security.

  • It is advised to change the default login credentials of devices connected to the internet to stronger passwords
  • Use multi-factor authentication whenever possible.
  • Make sure to regularly update routers and other device firmware to prevent attackers from exploiting vulnerabilities.

This research was documented by researchers from Checkpoint

Indicators of Compromise

  • 998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c
  • 7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a
  • ed3d667a4fa92d78a0a54f696f4e8ff254def8d6f3208e6fe426dbe7fb3f3dd0
  • 66cc81a7d865941cb32ed7b1b84b20270d7d667b523cab28b856cd4e85f135b6
  • 8a2e9f6c2b0c898090fdce021b3813313e73a256a5de39c100bf9868abc09dbb
  • da046a1fe6f3b94e48c24ffd341f8d97bfc06252ddf4d332e8e2478262ad1964

Leave a Reply

%d bloggers like this: