According to cybersecurity researchers, a Chinese-linked cyberespionage outfit sent Venezuela-themed phishing emails to US government and policy officials in the days following a US operation to depose Venezuelan President Nicolas Maduro.

The previously unknown campaign demonstrates how a long-standing Chinese cyberespionage cell known as “Mustang Panda” continues to exploit big political changes to obtain access to key networks.

According to Reuters’ report, the group used a rapidly unfolding geopolitical situation to tempt targets into opening malicious files, which might allow hackers to steal data and maintain access to compromised systems.

Researchers say the endeavour was discovered through technical analysis rather than victim disclosures, and it’s unclear whether any targets were effectively infected.

Malware discovered using a public analysis platform

Acronis’ Threat Research Unit discovered the campaign after identifying a suspicious zip file uploaded to a public malware analysis site.

The file, headlined “US Now Deciding What’s Next for Venezuela,” was shared on January 5.

The virus in the collection shared code and infrastructure with previous cyberespionage activities linked to Mustang Panda by industry analysts.

In a paper summarising their findings, Acronis researchers stated that these overlaps helped link the newly detected virus to the group’s previous activities.

According to the investigation, if the malware was implanted on a target’s machine, its operators would have been able to steal data and establish persistence, allowing for continued access.

However, the researchers stated that they were unable to identify the campaign’s exact targets or establish whether any infections were effective.

Timing relative to the US operation

According to the analysis, the virus in the zip file was generated at 0655 GMT on January 3, barely hours after the United States launched its campaign to arrest Maduro.

A sample of the virus was then uploaded to the analysis sandbox at 0827 GMT on January 5.

The researchers report that Maduro and his wife, Cilia Flores, pleaded not guilty to narcotics and weapons charges in a Manhattan courthouse on the same day.

The close alignment between the malware’s creation and the unfolding events in Venezuela revealed that the hackers were aiming to capitalise on the situation’s increased interest.

According to Acronis researchers, the suspected targets included US government bodies and unspecified policy-related groups.

This assessment was based on technical indicators associated with the malware sample and the types of companies that Mustang Panda has previously attacked.

Signs of speed over precision

Subhajeet Singha, a reverse engineer and malware expert at Acronis and one of the analysis’s authors, stated that the campaign appeared rushed in comparison to previous attempts attributed to the organisation.

“These guys were in haste,” Singha explained, adding that the hackers’ work did not reach the same quality standards as prior Mustang Panda operations.

That hurry, he claimed, left behind technical artefacts that allowed experts to link the infection to previous efforts.

The seeming urgency highlighted how the gang responds to rapidly changing geopolitical circumstances, tailoring its techniques to current headlines in an attempt to boost the possibility that targets will engage with malicious content.

Official responses and attributions

In a January 2025 statement, the US Department of Justice branded Mustang Panda as a “group of hackers sponsored by the People’s Republic of China,” claiming the organisation was paid to create surveillance malware and access targeted networks.

In an email, a representative for the Chinese embassy in Washington refuted the portrayal, saying, “China has consistently opposed and legally combated all forms of hacking activities, and will never encourage, support, or condone cyberattacks.”

China strongly condemns the spread of false information regarding alleged ‘Chinese cyber threats’ for political purposes.”

The FBI declined to comment on the research findings

While the campaign’s impact is unknown, the instance demonstrates how cyberespionage groups continue to use global political crises as entry points into government and policy-related networks, researchers added.

The post China-linked hackers used Venezuela crisis as lure in US-focused phishing  appeared first on Invezz