Chinese Hackers Distribute Pubload Malware via Tibetan Community Lures and Malicious Filenames

Cybersecurity researchers at IBM X-Force identified a new wave of cyberattacks orchestrated by the China-aligned threat actor Hive0154.

The campaign leverages the Pubload malware, distributed via spear-phishing emails that exploit sensitive topics relevant to the Tibetan community.

This activity coincides with heightened global attention on Tibet, particularly surrounding the Dalai Lama’s 90th birthday and recent international events focused on Tibetan sovereignty.

Hive0154’s latest campaign is characterized by the use of lure documents and filenames referencing high-profile Tibetan issues.

Notably, phishing emails have referenced the 9th World Parliamentarians’ Convention on Tibet (WPCT) held in Tokyo, China’s education policy in the Tibet Autonomous Region (TAR), and the Dalai Lama’s recent publication “Voice for the Voiceless.”

Pubload Malware
Example Hive0154 phishing email from a campaign in April 2025.

According to IBM X-Force Report, these lures are designed to increase the likelihood of engagement from recipients within the Tibetan community and their supporters.

The phishing emails typically contain links to Google Drive-hosted archives, which, when downloaded, include both benign documents and malicious executables.According to IBM X-Force

The malicious files are often disguised with filenames identical to legitimate documents or images, such as “9th WPCT Region-Wise Action Plans on Tibet.exe” or “Voice for the Voiceless photos.exe.” This tactic increases the risk of accidental execution by unsuspecting users.

Pubload Infection Chain

The infection chain begins with the delivery of a weaponized archive containing a benign executable vulnerable to DLL sideloading and a malicious Claimloader DLL.

Pubload Malware
Pubload infection chain

Once executed, Claimloader establishes persistence by creating a mutex and relocating itself to a concealed directory, such as C:\ProgramData\AdobeLicensingPlugin\. It then modifies the Windows registry to ensure execution upon user login.

The loader decrypts and injects an embedded Pubload payload using TripleDES encryption and dynamically resolves API imports.

After a series of timed delays, the shellcode is executed in memory, leading to the deployment of the Pubload backdoor.

Pubload, in turn, downloads additional payloads such as the Pubshell module, which provides attackers with a reverse shell for immediate remote access.

Broader Targeting

While the primary focus of this campaign is the Tibetan diaspora, Hive0154 has also targeted entities in the United States, including files referencing U.S. Navy Pacific Fleet working groups and strategic mineral policy discussions.

The group’s phishing tactics are highly adaptive, with filenames and lure content tailored to the geopolitical interests of their intended victims.

Hive0154, also tracked as Mustang Panda, Stately Taurus, and other aliases, is known for its extensive malware arsenal and persistent targeting of government, policy, and advocacy organizations.

The group’s use of custom loaders, backdoors, and USB worms underscores its sophistication and ongoing evolution.

Security experts advise organizations, especially those involved in Tibetan advocacy or related geopolitical matters, to exercise extreme caution with unsolicited emails, particularly those containing download links or archives.

Network defenders should monitor for suspicious file activity, persistence mechanisms in the registry, and unusual outbound connections especially those involving TLS 1.2 packets without a preceding handshake, which may indicate Pubload or related malware activity.

Indicators of Compromise (IOC)

IndicatorTypeContext
2bd60685299c62abe500fe809f03a627a1567059ce213d7c0cc762fa32552d7SHA256Claimloader DLL
c80dfc678570bde7c19df21877a15cc7914d3ef7a3cef5f99fce26fcf696c444SHA256Claimloader DLL
93f1fd31e197a58b03c6f5f774c1384ffd03516ab1172d9b26ef5a4a32831637SHA256Claimloader DLL
3e7384c5e7c5764258947721c7729f221fb47ef53d447a7af5db5426f1e7c13dSHA256Claimloader DLL
8cd4324e1e764aafba4ea0394a82943cefd7deeee28a6cbd19f2ba69de6a5766SHA256Claimloader DLL
7979686bf73c2988ab5d57f9605dcef2231ca87580f6ecedc75b2cbe81669ba0SHA256Weaponized archive
ea991719885b2fe91502218ff3be12c9f990a24c7e007e4ffb5a5c5c52b3a0b5SHA256Weaponized archive
6e408aada775eaf19c524792344cabca0b406247154e2b03ed03a929e0feee5aSHA256Weaponized archive
57770ede7015734e2d881430423bcc76c160b90448f5e67334e56b9747ff874cSHA256Weaponized archive
fb33f222b3d4d5edc9b743e64282de561ef51e42db150dd8086203c53b25ff79SHA256Weaponized archive
218.255.96[.]245:443IPv4Pubload C2 server

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

Mandvi
Mandvi
Mandvi is a Security Reporter covering data breaches, malware, cyberattacks, data leaks, and more at Cyber Press.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here