threatintel
actor tracker
IOC pivot
ioc · sha-256

85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654

CN · ChinaMustang Pandaconfidence · high

SHA-256 of `AvastSvc.exe`, the legitimate Avast binary abused for DLL side-loading by the Mustang Panda PlugX USB worm. Listed alongside the malicious DLL in the Sophos IOC table; drops the side-load triad into `%userprofile%/AvastSvcpCP/`.

family
PlugX
first seen
Mar 8, 2023
publisher
Sophos X-Ops
source citation