Operation Vicious Panda

The Mongolian public sector was targeted with RTF attachments disguised as documents sent from the Mongolian Ministry of Foreign Affairs. The threat actor behind the attack used the COVID-19 pandemic as a lure and infected victims with a remote access trojan capable of exfiltrating, creating, moving, and deleting files and folders. The Royal Road RTF Weaponizer tool was used to create the malicious documents which contained embedded objects that exploited the Equation Editor flaws in Microsoft Word. Persistence, defense evasion, and execution was achieved using rundll32.exe, the Windows startup folder, and obfuscation.