1. Home
  2. Groups
  3. Mustang Panda

Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

ID: G0129
Associated Groups: TA416, RedDelta, BRONZE PRESIDENT, STATELY TAURUS, FIREANT, CAMARO DRAGON, EARTH PRETA, HIVE0154, TWILL TYPHOON, TANTALUM, LUMINOUS MOTH, UNC6384, TEMP.Hex, Red Lich
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet; Jiraput Thamsongkrah; ZScaler ThreatLabz
Version: 3.0
Created: 12 April 2021
Last Modified: 04 November 2025
Version Permalink

Associated Group Descriptions

Name Description
TA416

[14]
RedDelta

[15][16]
BRONZE PRESIDENT

[5][11][12]
STATELY TAURUS

[10][17][18][19][20][21]
FIREANT

[19]
CAMARO DRAGON

[22]
EARTH PRETA

[23][24][25][26]
HIVE0154

[27][28]
TWILL TYPHOON

[29]
TANTALUM

[29]
LUMINOUS MOTH

[29]
UNC6384

[30]
TEMP.Hex

[30]
Red Lich

[31]

Campaigns

ID Name First Seen Last Seen References Techniques
C0047 RedDelta Modified PlugX Infection Chain Operations July 2023 [32] December 2024 [32]

RedDelta Modified PlugX Infection Chain Operations was an campaign linked to Mustang Panda operations.[32]

 Acquire Infrastructure: Domains, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Execution Guardrails, Exploitation for Client Execution, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL, Masquerading: Masquerade Task or Service, Non-Application Layer Protocol, Obfuscated Files or Information: Encrypted/Encoded File, Obtain Capabilities: Digital Certificates, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Proxy, Stage Capabilities: Upload Malware, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Msiexec, System Binary Proxy Execution: MMC, System Information Discovery, User Execution: Malicious File, User Execution: Malicious Link
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Mustang Panda has utilized AdFind to identify domain users.[20]
Enterprise T1583 .001 Acquire Infrastructure: Domains

Mustang Panda has acquired C2 domains prior to operations.[5][21][33][15][25][30][17][10][34]

Mustang Panda registered adversary-controlled domains during RedDelta Modified PlugX Infection Chain Operations that were re-registrations of expired domains.[32]
.006 Acquire Infrastructure: Web Services

Mustang Panda has set up Dropbox and Google Drive to host malicious downloads.[23]
Enterprise T1557 Adversary-in-the-Middle

Mustang Panda leveraged a captive portal hijack that redirected the victim to a webpage that prompted the victim to download a malicious payload.[30]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Mustang Panda has communicated with its C2 via HTTP POST requests.[3][5][15][17][34]

Mustang Panda used HTTP POST messages for command and control from PlugX installations during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.[5][35] Mustang Panda has used WinRAR "Rar.exe" to archive stolen files before exfiltration.[18] Mustang Panda has also used TONESHELL and post-exploitation tools such as RemCom and Impacket to execute WinRAR rar.exe to archive files for exfiltration.[20]
.003 Archive Collected Data: Archive via Custom Method

Mustang Panda has encrypted documents with RC4 prior to exfiltration.[35]
Enterprise T1119 Automated Collection

Mustang Panda used custom batch scripts to collect files automatically from a targeted system.[5]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.[14] Mustang Panda has also established persistence via the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.[7][12]

Mustang Panda used Run registry keys with names such as OneNote Update to execute legitimate executables that would load through search-order hijacking malicious DLLS to ensure persistence during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1059 Command and Scripting Interpreter

Mustang Panda has utilized meterpreter shellcode.[4]
.001 PowerShell

Mustang Panda has used malicious PowerShell scripts to enable execution.[3][9][18]

Mustang Panda used LNK files to execute PowerShell commands leading to eventual PlugX installation during RedDelta Modified PlugX Infection Chain Operations.[32]
.003 Windows Command Shell

Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[3][35] Mustang Panda has also utilized cmd.exe to execute commands on an infected host such as cmd.exe /c ping.exe 8.8.8.8 -n 70&&"%temp%\FontEDL.exe".[4]
.005 Visual Basic

Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.[3][5][9] Mustang Panda has also used VBA macros in maldocs to execute malicious DLLs.[4] Mustang Panda also utilized a VBS Script "autorun.vbs" that created persistence through saving the VBS Script in the startup directory which would cause it to run each time the machine was turned on.[20]
.007 JavaScript

Mustang Panda has executed a JavaScript payload utilizing wscript.exe on the endpoint.[4]
Enterprise T1586 .002 Compromise Accounts: Email Accounts

Mustang Panda has compromised legitimate email accounts to use in their spear-phishing operations.[23]
Enterprise T1001 .003 Data Obfuscation: Protocol or Service Impersonation

Mustang Panda has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. Mustang Panda has used FakeTLS to communicate with its C2 servers.[13]
Enterprise T1074 .001 Data Staged: Local Data Staging

Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.[5][35]
Enterprise T1622 Debugger Evasion

Mustang Panda has embedded debug strings with messages to distract analysts.[23] Mustang Panda has also made calls to Windows API CheckRemoteDebuggerPresent and exits if it detects a debugger.[12]

Enterprise T1678 Delay Execution

Mustang Panda has delayed the execution of payloads leveraging ping echo requests cmd /c ping 8.8.8.8 -n 70&&"%temp%\<legitimate executable>".[2][11]
Enterprise T1140 Deobfuscate/Decode Files or Information

Mustang Panda has the ability to decrypt its payload prior to execution.[33][7][10][12] Mustang Panda has also utilized RC4 encryption for malicious payloads.[30][17]
Enterprise T1587 .001 Develop Capabilities: Malware

Mustang Panda has developed custom malware for use in their operations.[2][4]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Mustang Panda has encrypted C2 communications with RC4.[2][15] Mustang Panda has also leveraged encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO.[17]
Enterprise T1585 .002 Establish Accounts: Email Accounts

Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.[16] Mustang Panda has also created fake Google accounts to distribute malware via spear-phishing emails.[23] Mustang Panda has also created accounts for spearphishing operations including the use of services such as Proton Mail.[27][28]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.[5]
Enterprise T1480 Execution Guardrails

Mustang Panda included the use of Cloudflare geofencing mechanisms to limit payload download activity during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Mustang Panda has used FTP to exfiltrate archive files.[20]
Enterprise T1041 Exfiltration Over C2 Channel

Mustang Panda has exfiltrated stolen data and files to its C2 server.[4][7][11]
Enterprise T1052 .001 Exfiltration Over Physical Medium: Exfiltration over USB

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[35]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Mustang Panda has also exfiltrated archived files to cloud services such as Dropbox using curl.[20][18]
Enterprise T1203 Exploitation for Client Execution

Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.[9]

Mustang Panda used the GrimResource exploitation technique via specially crafted MSC files for arbitrary code execution during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1083 File and Directory Discovery

Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.[35][20]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Mustang Panda's PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.[35] Mustang Panda has also modified file attributes to hidden and system.[2]

Mustang Panda stored encrypted payloads associated with PlugX installation in hidden directories during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1574 .001 Hijack Execution Flow: DLL

Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[2][3][4][19][7][15][20][25][23][14][17][11][36][13] Mustang Panda has abused legitimate executables to side-load malicious DLLs.[21][33][27][28][30]

Mustang Panda used DLL search order hijacking on vulnerable applications to install PlugX payloads during RedDelta Modified PlugX Infection Chain Operations.[32]
.005 Hijack Execution Flow: Executable Installer File Permissions Weakness

Mustang Panda has leveraged legitimate software installer executables such as Setup Factory "IRSetup.exe" to drop and execute their payload.[25]
Enterprise T1070 Indicator Removal

Mustang Panda has deleted registry keys that store data and maintained persistence.[2]
.004 File Deletion

Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[5][36]
.006 Timestomp

Mustang Panda has modified file timestamps from the export address table (EAT) in malware to make it difficult to identify creation times.[10]
Enterprise T1105 Ingress Tool Transfer

Mustang Panda has downloaded additional executables following the initial infection stage.[2][4][15][11] Mustang Panda has also leveraged Visual Studio Code code.exe and Dev Tunnels using DevTunnel.exe to propagate additional tools and payloads.[18]
Enterprise T1654 Log Enumeration

Mustang Panda has used Wevtutil to gather Windows Security Event Logs.[20]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Mustang Panda masqueraded Registry run keys as legitimate-looking service names such as OneNote Update during RedDelta Modified PlugX Infection Chain Operations.[32]
.005 Masquerading: Match Legitimate Resource Name or Location

Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX, and a file named OneDrive.exe to load a Cobalt Strike payload.[15] Mustang Panda has also masqueraded legitimate browser plugin updates to include AdobePlugins.exe.[30]
.007 Masquerading: Double File Extension

Mustang Panda has used an additional filename extension to hide the true file type.[9][3]
.008 Masquerading: Masquerade File Type

Mustang Panda has masqueraded malicious executables as legitimate files that download PlugX malware.[7][11]
Enterprise T1106 Native API

Mustang Panda has used various Windows API calls during execution and defense evasion.[2][19][33][27][28][25][23][30][10][12][36][13]
Enterprise T1046 Network Service Discovery

Mustang Panda has leveraged NBTscan to scan IP networks.[20]
Enterprise T1095 Non-Application Layer Protocol

Mustang Panda has utilized TCP-based reverse shells using cmd.exe.[4]

Mustang Panda communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1027 Obfuscated Files or Information

Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[3][4][5][15][9][23][14][16][17] [11][36][13] Mustang Panda has also utilized opaque predicates in payloads to hinder analysis.[2]
.007 Dynamic API Resolution

Mustang Panda has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.[2]
.012 LNK Icon Smuggling

Mustang Panda has utilized LNK files to hide malicious scripts for execution.[4][12] Mustang Panda has also leveraged LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.[21]
.013 Encrypted/Encoded File

Mustang Panda stored installation payloads as encrypted files in hidden folders during RedDelta Modified PlugX Infection Chain Operations.[32]
.016 Junk Code Insertion

Mustang Panda has used junk code within their DLL files to hinder analysis.[2][35]
Enterprise T1588 .002 Obtain Capabilities: Tool

Mustang Panda has obtained and leveraged publicly-available tools for intrusion activities.[4][20]
.003 Obtain Capabilities: Code Signing Certificates

Mustang Panda has used revoked code signing certificates for its malicious payloads.[36]
.004 Obtain Capabilities: Digital Certificates

Mustang Panda has obtained SSL certificates for their C2 domains.[7][30]

Mustang Panda acquired Cloudflare Origin CA TLS certificates during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1003 OS Credential Dumping

Mustang Panda utilized "Hdump" to dump credentials from memory.[20]
.001 LSASS Memory

Mustang Panda has harvested credentials from memory of lssas.exe with Mimikatz.[20]
.003 NTDS

Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.[5][20]
.006 DCSync

Mustang Panda has leveraged Mimikatz DCSync feature to obtain user credentials.[20]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Mustang Panda has leveraged AdFind to enumerate domain groups.[20]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Mustang Panda has used spearphishing attachments to deliver initial access payloads.[4][21][33][27][28][37][15][24][14] Mustang Panda has also delivered archive files such as RAR and ZIP files containing legitimate EXEs and malicious DLLs.[33][27][28]

Mustang Panda leveraged malicious attachments in spearphishing emails for initial access to victim environments in RedDelta Modified PlugX Infection Chain Operations.[32]
.002 Phishing: Spearphishing Link

Mustang Panda has delivered malicious links to their intended targets.[27][28][34] Mustang Panda has distributed spear-phishing emails with embedded links that direct the victim to a malicious archive hosted on Google or Dropbox.[23]

Mustang Panda distributed malicious links in phishing emails leading to HTML files that would direct the victim to malicious MSC files if running Windows based on User Agent fingerprinting during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Mustang Panda has delivered web bugs to profile their intended targets.[16]
Enterprise T1057 Process Discovery

Mustang Panda has used tasklist /v to determine active process information.[35] Mustang Panda has also used TONESHELL malware to check the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.[23]
Enterprise T1572 Protocol Tunneling

Mustang Panda has leveraged OpenSSH (sshd.exe) to execute commands, transfer files and spread across the environment communicating over SMB port 445.[18]
Enterprise T1090 Proxy

Mustang Panda proxied communication through the Cloudflare CDN service during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1219 .001 Remote Access Tools: IDE Tunneling

Mustang Panda has utilized an established Github account to create a tunnel within the victim environment using Visual Studio Code through the code.exe tunnel command.[18]
.002 Remote Access Tools: Remote Desktop Software

Mustang Panda has installed TeamViewer on targeted systems.[5]
Enterprise T1018 Remote System Discovery

Mustang Panda has queried Active Directory for computers using AdFind.[20] Mustang Panda has also utilized SharpNBTScan to scan the victim environment.[18]
Enterprise T1091 Replication Through Removable Media

Mustang Panda has used a customized PlugX variant which could spread through USB connections.[35]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.[3][4][5][34] Mustang Panda has also created a scheduled task that creates a reverse shell.[18]
Enterprise T1593 Search Open Websites/Domains

Mustang Panda has used open-source research to identify information about victims to use in targeting to include creating weaponized phishing lures and attachments.[27][28]
Enterprise T1505 .003 Server Software Component: Web Shell

Mustang Panda has used China Chopper web shells to maintain access to victims’ environments.[20]
Enterprise T1129 Shared Modules

Mustang Panda has leveraged LoadLibrary to load DLLs.[2]
Enterprise T1072 Software Deployment Tools

Mustang Panda has leveraged legitimate software tools such as AntiVirus Agents, Security Services, and App Development tools to execute scripts and to side-load dlls.[20][25]
Enterprise T1518 Software Discovery

Mustang Panda has searched the victim system for the InstallUtil.exe program and its version.[3]
Enterprise T1176 .002 Software Extensions: IDE Extensions

Mustang Panda has leveraged Visual Studio Code’s (VSCode) embedded reverse shell feature using the command code.exe tunnel to execute code and deliver additional payloads.[18]
Enterprise T1608 Stage Capabilities

Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.[16]
.001 Upload Malware

Mustang Panda has hosted malicious payloads on DropBox including PlugX.[16]

Mustang Panda staged malware on adversary-controlled domains and cloud storage instances during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Mustang Panda has used valid legitimate digital signatures and certificates to evade detection.[21][33][30][17][10][11][36][13]

Mustang Panda used legitimate, signed binaries such as inkform.exe or ExcelRepairToolboxLauncher.exe for follow-on execution of malicious DLLs through DLL search order hijacking in RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.[3]
.005 System Binary Proxy Execution: Mshta

Mustang Panda has used mshta.exe to launch collection scripts.[5]
.007 System Binary Proxy Execution: Msiexec

Mustang Panda initial payloads downloaded a Windows Installer MSI file that in turn dropped follow-on files leading to installation of PlugX during RedDelta Modified PlugX Infection Chain Operations.[32]
.014 System Binary Proxy Execution: MMC

Mustang Panda used Microsoft Management Console Snap-In Control files, or MSC files, executed via MMC to run follow-on PowerShell commands during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1082 System Information Discovery

Mustang Panda has gathered system information using systeminfo.[35]

Mustang Panda captured victim operating system type via User Agent analysis during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1016 System Network Configuration Discovery

Mustang Panda has used ipconfig and arp to determine network configuration information.[35] Mustang Panda has also utilized SharpNBTScan to scan the victim environment.[18]
Enterprise T1049 System Network Connections Discovery

Mustang Panda has used netstat -ano to determine network connection information.[35]
Enterprise T1205 Traffic Signaling

Mustang Panda has utilized a "magic packet" value in C2 communications and only executes in memory when response packets match specific values of "17 03 03" or "46 77 4d".[21]
Enterprise T1204 .001 User Execution: Malicious Link

Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.[27][28][9][23][16][34] Mustang Panda has also utilized webpages with Javascript code that downloads malicious payloads to the victim device.[30]

Mustang Panda distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during RedDelta Modified PlugX Infection Chain Operations.[32]
.002 User Execution: Malicious File

Mustang Panda has sent malicious files requiring direct victim interaction to execute.[3][21][27][28][35][37][15][9][16][36] Mustang Panda has also leveraged executable files that display decoy documents to the victim to provide a resemblance of legitimacy with customized themes related to the victim.[2][4][33][7][24][25][23][17][10][11][12]

Mustang Panda distributed malicious LNK objects for user execution during RedDelta Modified PlugX Infection Chain Operations.[32]
Enterprise T1102 Web Service

Mustang Panda has used DropBox URLs to deliver variants of PlugX.[16] Mustang Panda has also used Google Drive to host malicious downloads.[27]
Enterprise T1047 Windows Management Instrumentation

Mustang Panda has executed PowerShell scripts via WMI.[3][5]

Software

ID Name References Techniques
S0552 AdFind Mustang Panda has utilized AdFind for enumerating domain groups, users, and computers.[20] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S1226 BOOKWORM [19][10] Application Layer Protocol: Web Protocols, Clipboard Data, Create or Modify System Process: Windows Service, Data Obfuscation: Protocol or Service Impersonation, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Hide Artifacts: Hidden Window, Hijack Execution Flow: DLL, Indicator Removal: Timestomp, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information, Subvert Trust Controls: Code Signing, System Owner/User Discovery
S1237 CANONSTAGER [30] Hide Artifacts: Hidden Window, Hijack Execution Flow: DLL, Masquerading: Match Legitimate Resource Name or Location, Native API, Obfuscated Files or Information: Dynamic API Resolution, Process Injection: Thread Local Storage
S0020 China Chopper Mustang Panda has used China Chopper web shells to maintain access to victims’ environments.[20] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S1236 CLAIMLOADER [27][28] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Deobfuscate/Decode Files or Information, Execution Guardrails: Mutual Exclusion, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL, Inter-Process Communication: Component Object Model, Masquerading: Match Legitimate Resource Name or Location, Native API, Obfuscated Files or Information: Dynamic API Resolution, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S0154 Cobalt Strike [2][3][5][15][20][9][34] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S1235 CorKLOG [36] Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL, Input Capture: Keylogging, Obfuscated Files or Information: Encrypted/Encoded File, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing
S1230 HIUPAN [28][24] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Delay Execution, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL, Modify Registry, Peripheral Device Discovery, Process Discovery, Replication Through Removable Media, User Execution: Malicious File
S0357 Impacket Mustang Panda leveraged Impacket to gather information about the network, discover devices, users and query directories on remote machines to identify files to exfiltrate.[20] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Lateral Tool Transfer, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0002 Mimikatz [20] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0590 NBTscan [5][20] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S1233 PAKLOG [36] Application Window Discovery, Clipboard Data, Data Staged: Local Data Staging, Hijack Execution Flow: DLL, Input Capture: Keylogging, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Subvert Trust Controls: Code Signing, System Time Discovery
S0013 PlugX [2][3][5][7][35][15][9][16][11] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Debugger Evasion, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Mutual Exclusion, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hide Artifacts: Hidden Window, Hijack Execution Flow: DLL, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: Clear Persistence, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Local Storage Discovery, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Resource Name or Location, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Non-Standard Port, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information, Obfuscated Files or Information: Encrypted/Encoded File, Peripheral Device Discovery, Process Discovery, Query Registry, Reflective Code Loading, Replication Through Removable Media, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Time Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0012 PoisonIvy [2][15][9] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Mutual Exclusion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S1228 PUBLOAD [4][21][33][27][28][24][23][10][38] Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Obfuscation: Protocol or Service Impersonation, Debugger Evasion, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Environmental Keying, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Hijack Execution Flow: DLL, Ingress Tool Transfer, Local Storage Discovery, Masquerading: Match Legitimate Resource Name or Location, Native API, Obfuscated Files or Information: Compression, Obfuscated Files or Information, Process Discovery, Query Registry, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Location Discovery: System Language Discovery, System Network Configuration Discovery: Wi-Fi Discovery, System Network Configuration Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery, System Time Discovery, Traffic Signaling, Windows Management Instrumentation
S0662 RCSession [5] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Encrypted Channel, Hijack Execution Flow: DLL, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Compression, Obfuscated Files or Information: Fileless Storage, Process Discovery, Process Injection: Process Hollowing, Screen Capture, System Binary Proxy Execution: Msiexec, System Information Discovery, System Owner/User Discovery
S0596 ShadowPad [20] Application Layer Protocol: DNS, Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Data Encoding: Non-Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Indicator Removal, Ingress Tool Transfer, Local Storage Discovery, Modify Registry, Non-Application Layer Protocol, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Scheduled Transfer, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S1234 SplatCloak [36] File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Masquerading: Invalid Code Signature, Native API, Software Discovery: Security Software Discovery, System Information Discovery
S1232 SplatDropper [36] Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL, Indicator Removal: Clear Persistence, Native API, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information: Encrypted/Encoded File, Subvert Trust Controls: Code Signing
S1227 StarProxy [13] Command and Scripting Interpreter, Data Obfuscation: Protocol or Service Impersonation, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL, Native API, Non-Application Layer Protocol, Proxy: Internal Proxy, System Time Discovery
S1238 STATICPLUGIN [30] Inter-Process Communication: Component Object Model, Masquerading: Masquerade File Type, Masquerading: Match Legitimate Resource Name or Location, Subvert Trust Controls: Code Signing, User Execution: Malicious File
S1239 TONESHELL [21][28][8][20][25][23][26][13][18] Access Token Manipulation: Create Process with Token, Account Discovery, Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Non-Standard Encoding, Data Obfuscation: Protocol or Service Impersonation, Debugger Evasion, Delay Execution, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Environmental Keying, Execution Guardrails, Execution Guardrails: Mutual Exclusion, Hijack Execution Flow: DLL, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Inter-Process Communication, Local Storage Discovery, Masquerading: Match Legitimate Resource Name or Location, Masquerading: Masquerade Task or Service, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: LNK Icon Smuggling, Process Discovery, Process Injection: Dynamic-link Library Injection, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: Mavinject, System Information Discovery, System Owner/User Discovery, Traffic Signaling, Virtualization/Sandbox Evasion: User Activity Based Checks, Windows Management Instrumentation
S0645 Wevtutil Mustang Panda has leveraged Wevtutil to gather information about usernames and Windows Security Event logs.[20] Data from Local System, Impair Defenses: Disable Windows Event Logging, Indicator Removal: Clear Windows Event Logs

References

  1. The BlackBerry Research and Intelligence Team. (2022, October 6). Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims. Retrieved October 14, 2025.
  2. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025.
  3. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  4. Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025.
  5. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  6. DOJ. (2024, December 20). Mag. No. 24-mj-1387 AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A NINTH SEARCH AND SEIZURE WARRANT- IN THE MATTER OF THE SEARCH AND SEIZURE OF COMPUTERS IN THE UNITED STATES INFECTED WITH PLUGX MALWARE . Retrieved September 9, 2025.
  7. EclecticIQ Threat Research Team. (2023, February 2). Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware. Retrieved September 9, 2025.
  8. Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025.
  9. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  10. Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025.
  11. Secureworks Counter Threat Unit Research Team. (2022, April 27). BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX. Retrieved September 9, 2025.
  12. Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025.
  13. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025.
  14. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
  15. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  16. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  17. Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025.
  18. Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025.
  19. Broadcom Protection Bulletins. (2025, February 20). Bookworm malware linked to Fireant (aka Stately Tarurus) activity observed in Southeast Asia. Retrieved July 21, 2025.
  1. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.
  2. CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025.
  3. Cohen, Itay. Madej, Radoslaw. Threat Intelligence Team. (2023, May 16). THE DRAGON WHO SOLD HIS CAMARO: ANALYZING CUSTOM ROUTER IMPLANT. Retrieved December 26, 2023.
  4. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.
  5. Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.
  6. Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025.
  7. Sunny Lu, Vickie Su, Nick Dai. (2023, June 14). Behind the Scenes: Unveiling the Hidden Workings of Earth Preta. Retrieved September 10, 2025.
  8. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025.
  9. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
  10. Microsoft. (2025, September 8). How Microsoft names threat actors. Retrieved September 10, 2025.
  11. Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025.
  12. PWC UK. (2021, February 28). Cyber Threats 2020: A Year in Retrospect. Retrieved October 15, 2025.
  13. Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
  14. Dex. (n.d.). New Mustang Panda’s campaing against Australia. Retrieved August 4, 2025.
  15. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
  16. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  17. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025.
  18. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
  19. Unit42. (2024, March 26). ASEAN Entities in the Spotlight: Chinese APT Group Targeting. Retrieved August 4, 2025.