Analysis of PUBLOAD and Pubshell Malware in Mustang Panda’s Targeted Operations against Tibet

A China-linked threat actor, identified as Mustang Panda, has launched a new cyber espionage campaign targeting the Tibetan community.

The spear-phishing attacks exploit topics pertinent to Tibet, including the 9th World Parliamentarians’ Convention on Tibet (WPCT), China’s education policy in the Tibet Autonomous Region (TAR), and a recently published book by the 14th Dalai Lama, as reported by IBM X-Force. The cybersecurity division of IBM noted the campaign’s emergence earlier this month, with the malware PUBLOAD being deployed—tracking the threat actor under the designation Hive0154.

The attack mechanisms utilize Tibet-themed lures to distribute a malicious archive that contains a seemingly benign Microsoft Word file along with articles sourced from Tibetan websites and photographs from the WPCT, eventually leading to the execution of a disguised executable.

The executable, as observed previously in Mustang Panda’s operations, employs DLL side-loading techniques to initiate a malevolent DLL termed Claimloader, which subsequently deploys PUBLOAD, a downloader malware responsible for contacting a remote server and retrieving a subsequent payload known as Pubshell.

Pubshell is characterized as a lightweight backdoor facilitating immediate access to the compromised system through a reverse shell, according to cybersecurity researchers Golo Mühr and Joshua Chung. It is important to clarify that IBM has designated the custom stager as Claimloader, while Trend Micro refers to both the stager and downloader collectively as PUBLOAD. Team T5 adopts a similar approach by identifying these components under the label NoFive.

This situation follows recent activity attributed to a sub-cluster of Hive0154, which has targeted entities across the United States, Philippines, Pakistan, and Taiwan from late 2024 to early 2025. Such activities resemble those directed against Tibet, relying on weaponized archives dispatched through spear-phishing emails aimed at government, military, and diplomatic institutions.

The phishing emails incorporate links to Google Drive URLs that, upon access, download booby-trapped ZIP or RAR archives, culminating in the deployment of TONESHELL in 2024 and PUBLOAD this year via Claimloader. Another frequently utilized malware associated with Mustang Panda, TONESHELL, serves a similar function to Pubshell, enabling the establishment of a reverse shell and the execution of commands on the compromised host.

Researchers noted that while the implementation of the reverse shell in Pubshell utilizes anonymous pipes, it differs slightly from TONESHELL, requiring an additional command to return results and only supporting ‘cmd.exe’ as the execution environment.

In certain instances, attacks targeting Taiwan have employed a USB worm referred to as HIUPAN (also known as MISTCLOAK or U2DiskWatch), facilitating the propagation of Claimloader and PUBLOAD via USB devices.

Hive0154 continues to prove itself as a capable threat actor, with several active sub-clusters and ongoing development cycles. Groups aligned with China, such as Hive0154, are poised to refine their extensive malware arsenal while maintaining a focus on organizations within East Asia’s public and private sectors. Their diverse toolkit, regular development cycles, and employment of USB worm-based malware distribution underscore their sophistication and persistence as a threat.