VERY IMPORTANT

A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the Yokai backdoor. The attack, consistent with the Chinese APT group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process commands from a disguised PDF. The malware, a trojanized version of PDF-XChange Driver Installer, dynamically resolves API calls to evade detection and establishes persistence through registry modification. It connects to a C2 server at 154.90.47.77 over TCP Port 443, with geo-locking to Thailand. This campaign appears to be part of a broader effort targeting Thai officials, highlighting the ongoing cyber espionage landscape in Southeast Asia.