Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor

Key findings
China-aligned threat actor Hive0154 has spread numerous phishing lures in targeted campaigns throughout 2025 to deploy the Pubload backdoor.
Hive0154 devises filenames referencing various geopolitical topics tailored to elicit increased interest from the targeted recipients.
As of May 2025, X-Force noticed an increased focus on topics tailored to target the Tibetan community.
The phishing campaigns reference the 9th World Parliamentarians’ Convention on Tibet (WPCT) held in Tokyo in June, China’s education policy in the Tibet Autonomous Region (TAR), and the 2025 book Voice for the Voiceless by the Dalai Lama.
Read the full article here.