Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.[1][2][3]

ID: G0129
Associated Groups: TA416, RedDelta, BRONZE PRESIDENT
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 2.1
Created: 12 April 2021
Last Modified: 16 April 2025

Associated Group Descriptions

Name Description
TA416

[4]

RedDelta

[5][6]

BRONZE PRESIDENT

[3]

Campaigns

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Mustang Panda have acquired C2 domains prior to operations.[3][5][8]

Mustang Panda registered adversary-controlled domains during RedDelta Modified PlugX Infection Chain Operations that were re-registrations of expired domains.[7]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Mustang Panda has communicated with its C2 via HTTP POST requests.[2][3][5][8]

Mustang Panda used HTTP POST messages for command and control from PlugX installations during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.[3][9]

.003 Archive Collected Data: Archive via Custom Method

Mustang Panda has encrypted documents with RC4 prior to exfiltration.[9]

Enterprise T1119 Automated Collection

Mustang Panda used custom batch scripts to collect files automatically from a targeted system.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.[4]

Mustang Panda used Run registry keys with names such as OneNote Update to execute legitimate executables that would load through search-order hijacking malicious DLLS to ensure persistence during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Mustang Panda has used malicious PowerShell scripts to enable execution.[1][2]

Mustang Panda used LNK files to execute PowerShell commands leading to eventual PlugX installation during RedDelta Modified PlugX Infection Chain Operations.[7]

.003 Command and Scripting Interpreter: Windows Command Shell

Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[2][9]

.005 Command and Scripting Interpreter: Visual Basic

Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.[1][2][3]

Enterprise T1074 .001 Data Staged: Local Data Staging

Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.[3][9]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Mustang Panda has encrypted C2 communications with RC4.[5]

Enterprise T1585 .002 Establish Accounts: Email Accounts

Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.[6]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.[3]

Enterprise T1480 Execution Guardrails

Mustang Panda included the use of Cloudflare geofencing mechanisms to limit payload download activity during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1052 .001 Exfiltration Over Physical Medium: Exfiltration over USB

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[9]

Enterprise T1203 Exploitation for Client Execution

Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.[1]

Mustang Panda used the GrimResource exploitation technique via specially crafted MSC files for arbitrary code execution during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1083 File and Directory Discovery

Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.[9]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Mustang Panda's PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.[9]

Mustang Panda stored encrypted payloads associated with PlugX installation in hidden directories during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1574 .001 Hijack Execution Flow: DLL

Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[2][5][4]

Mustang Panda used DLL search order hijacking on vulnerable applications to install PlugX payloads during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1070 .004 Indicator Removal: File Deletion

Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[3]

Enterprise T1105 Ingress Tool Transfer

Mustang Panda has downloaded additional executables following the initial infection stage.[5]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Mustang Panda masqueraded Registry run keys as legitimate-looking service names such as OneNote Update during RedDelta Modified PlugX Infection Chain Operations.[7]

.005 Masquerading: Match Legitimate Resource Name or Location

Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX, and a file named OneDrive.exe to load a Cobalt Strike payload.[5]

.007 Masquerading: Double File Extension

Mustang Panda has used an additional filename extension to hide the true file type.[1][2]

Enterprise T1095 Non-Application Layer Protocol

Mustang Panda communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1027 Obfuscated Files or Information

Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[1][2][3][5][4][6]

.013 Encrypted/Encoded File

Mustang Panda stored installation payloads as encrypted files in hidden folders during RedDelta Modified PlugX Infection Chain Operations.[7]

.016 Junk Code Insertion

Mustang Panda has used junk code within their DLL files to hinder analysis.[9]

Enterprise T1588 .004 Obtain Capabilities: Digital Certificates

Mustang Panda acquired Cloudflare Origin CA TLS certificates during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1003 .003 OS Credential Dumping: NTDS

Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Mustang Panda has used spearphishing attachments to deliver initial access payloads.[5][4][10]

Mustang Panda leveraged malicious attachments in spearphishing emails for initial access to victim environments in RedDelta Modified PlugX Infection Chain Operations.[7]

.002 Phishing: Spearphishing Link

Mustang Panda has delivered malicious links to their intended targets.[8]

Mustang Panda distributed malicious links in phishing emails leading to HTML files that would direct the victim to malicious MSC files if running Windows based on User Agent fingerprinting during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Mustang Panda has delivered web bugs to profile their intended targets.[6]

Enterprise T1057 Process Discovery

Mustang Panda has used tasklist /v to determine active process information.[9]

Enterprise T1090 Proxy

Mustang Panda proxied communication through the Cloudflare CDN service during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1219 .002 Remote Access Tools: Remote Desktop Software

Mustang Panda has installed TeamViewer on targeted systems.[3]

Enterprise T1091 Replication Through Removable Media

Mustang Panda has used a customized PlugX variant which could spread through USB connections.[9]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.[2][3][8]

Enterprise T1518 Software Discovery

Mustang Panda has searched the victim system for the InstallUtil.exe program and its version.[2]

Enterprise T1608 Stage Capabilities

Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.[6]

.001 Upload Malware

Mustang Panda has hosted malicious payloads on DropBox including PlugX.[6]

Mustang Panda staged malware on adversary-controlled domains and cloud storage instances during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Mustang Panda used legitimate, signed binaries such as inkform.exe or ExcelRepairToolboxLauncher.exe for follow-on execution of malicious DLLs through DLL search order hijacking in RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.[2]

.005 System Binary Proxy Execution: Mshta

Mustang Panda has used mshta.exe to launch collection scripts.[3]

.007 System Binary Proxy Execution: Msiexec

Mustang Panda initial payloads downloaded a Windows Installer MSI file that in turn dropped follow-on files leading to installation of PlugX during RedDelta Modified PlugX Infection Chain Operations.[7]

.014 System Binary Proxy Execution: MMC

Mustang Panda used Microsoft Management Console Snap-In Control files, or MSC files, executed via MMC to run follow-on PowerShell commands during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1082 System Information Discovery

Mustang Panda has gathered system information using systeminfo.[9]

Mustang Panda captured victim operating system type via User Agent analysis during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1016 System Network Configuration Discovery

Mustang Panda has used ipconfig and arp to determine network configuration information.[9]

Enterprise T1049 System Network Connections Discovery

Mustang Panda has used netstat -ano to determine network connection information.[9]

Enterprise T1204 .001 User Execution: Malicious Link

Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.[1][8][6]

Mustang Panda distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during RedDelta Modified PlugX Infection Chain Operations.[7]

.002 User Execution: Malicious File

Mustang Panda has sent malicious files requiring direct victim interaction to execute.[1][2][9][5][10][6]

Mustang Panda distributed malicious LNK objects for user execution during RedDelta Modified PlugX Infection Chain Operations.[7]

Enterprise T1102 Web Service

Mustang Panda has used DropBox URLs to deliver variants of PlugX.[6]

Enterprise T1047 Windows Management Instrumentation

Mustang Panda has executed PowerShell scripts via WMI.[2][3]

Software

ID Name References Techniques
S0154 Cobalt Strike [1][2][3][5][8] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0590 NBTscan [3] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0013 PlugX [1][2][3][9][5][6] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Resource Name or Location, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Non-Standard Port, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0012 PoisonIvy [1][5] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Mutual Exclusion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0662 RCSession [3] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Encrypted Channel, Hijack Execution Flow: DLL, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Compression, Obfuscated Files or Information: Fileless Storage, Process Discovery, Process Injection: Process Hollowing, Screen Capture, System Binary Proxy Execution: Msiexec, System Information Discovery, System Owner/User Discovery
S0596 ShadowPad Mustang Panda used similar installation techniques with DLL sideloading to install ShadowPad during RedDelta Modified PlugX Infection Chain Operations.[7] Application Layer Protocol: DNS, Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Data Encoding: Non-Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Indicator Removal, Ingress Tool Transfer, Modify Registry, Non-Application Layer Protocol, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Scheduled Transfer, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery

References