Mustang Panda, a Chinese nation-state actor, has been linked to sophisticated and targeted attacks against European foreign affairs entities since January 2023. Check Point researchers Itay Cohen and Radoslaw Madej uncovered a custom firmware implant designed for TP-Link routers, which features a backdoor called ‘Horse Shell’ that allows the attackers to maintain access, build anonymous infrastructure, and move laterally into networks. The implant is firmware-agnostic and can be integrated into various firmware. Mustang Panda is also known by other names such as Camaro Dragon, BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich. The method of deployment is unknown, but initial access may have been gained by exploiting security flaws or by using default/guessable passwords. Horse Shell permits arbitrary shell commands, file uploads/downloads, and communication relay between two clients, and is believed to target arbitrary devices on residential networks to create a mesh network for anonymous communication. This is not the first time Chinese threat actors have used compromised routers to meet their objectives, as ANSSI revealed an intrusion set orchestrated by APT31 (aka Judgement Panda or Violet Typhoon) in 2021, which used a malware called Pakdoor (or SoWat) to allow routers to communicate with each other.
Source: Hackernews
To mitigate these potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.