Trend Micro researchers have unveiled a large-scale phishing campaign worldwide targeting the government, academic, foundations, and research sectors, which are primarily located in Australia, Japan, Taiwan, Myanmar, and the Philippines.

Based on the report, they observed the campaign from March 2022 to October 2022 and linked this malicious campaign to an Advanced Persistent Threat (APT) group called Earth Preta(also known as Mustang Panda and Bronze President).


A. Nature of the Attack

The campaign uses fake Google accounts to distribute the malware via spear-phishing emails that are stored on Google Drive.

Throughout the campaign, the Trend Micro research team observed two new malware families used by the groups (TONEINS and TONESHELL), including PUBLOAD, a malware that was previously reported by Cisco Talos.


    A stager that can download the next-stage payload from its command-and-control (C&C) server. This malware was first disclosed by Cisco Talos in May 2022.


A first stage malware that will install the TONESHELL backdoor and establish the persistence for it.


The main backdoor used in this campaign. It is a shellcode loader that loads and decodes the backdoor shellcode with a 32-byte key in memory.


B. Indicators of Compromise

List of Indicators of Compromise can be viewed on the link below.

  • List of IoCs from Trend Micro: <>


C. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  • Regularly check and apply the latest patch of software, especially to public-facing applications.
  • In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize threat.
  • For additional information, kindly refer to the official report