Skip to content

G0129 Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. 30123689131625262728

Item Value
ID G0129
Associated Names TA416, RedDelta, BRONZE PRESIDENT, STATELY TAURUS, FIREANT, CAMARO DRAGON, EARTH PRETA, HIVE0154, TWILL TYPHOON, TANTALUM, LUMINOUS MOTH, UNC6384, TEMP.Hex, Red Lich
Version 3.0
Created 12 April 2021
Last Modified 04 November 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
TA416 21
RedDelta 1223
BRONZE PRESIDENT 62627
STATELY TAURUS 2524314157
FIREANT 4
CAMARO DRAGON 5
EARTH PRETA 19141829
HIVE0154 1011
TWILL TYPHOON 17
TANTALUM 17
LUMINOUS MOTH 17
UNC6384 20
TEMP.Hex 20
Red Lich 22

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Mustang Panda has utilized AdFind to identify domain users.15
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Mustang Panda has acquired C2 domains prior to operations.6734121820242533
enterprise T1583.006 Web Services Mustang Panda has set up Dropbox and Google Drive to host malicious downloads.19
enterprise T1557 Adversary-in-the-Middle Mustang Panda leveraged a captive portal hijack that redirected the victim to a webpage that prompted the victim to download a malicious payload.20
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Mustang Panda has communicated with its C2 via HTTP POST requests.26122433
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.632 Mustang Panda has used WinRAR “Rar.exe” to archive stolen files before exfiltration.31 Mustang Panda has also used TONESHELL and post-exploitation tools such as RemCom and Impacket to execute WinRAR rar.exe to archive files for exfiltration.15
enterprise T1560.003 Archive via Custom Method Mustang Panda has encrypted documents with RC4 prior to exfiltration.32
enterprise T1119 Automated Collection Mustang Panda used custom batch scripts to collect files automatically from a targeted system.6
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.21 Mustang Panda has also established persistence via the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.927
enterprise T1059 Command and Scripting Interpreter Mustang Panda has utilized meterpreter shellcode.3
enterprise T1059.001 PowerShell Mustang Panda has used malicious PowerShell scripts to enable execution.21631
enterprise T1059.003 Windows Command Shell Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.232 Mustang Panda has also utilized cmd.exe to execute commands on an infected host such as cmd.exe /c ping.exe 8.8.8.8 -n 70&&"%temp%\FontEDL.exe".3
enterprise T1059.005 Visual Basic Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.2616 Mustang Panda has also used VBA macros in maldocs to execute malicious DLLs.3 Mustang Panda also utilized a VBS Script “autorun.vbs” that created persistence through saving the VBS Script in the startup directory which would cause it to run each time the machine was turned on.15
enterprise T1059.007 JavaScript Mustang Panda has executed a JavaScript payload utilizing wscript.exe on the endpoint.3
enterprise T1586 Compromise Accounts -
enterprise T1586.002 Email Accounts Mustang Panda has compromised legitimate email accounts to use in their spear-phishing operations.19
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol or Service Impersonation Mustang Panda has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. Mustang Panda has used FakeTLS to communicate with its C2 servers.28
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.632
enterprise T1622 Debugger Evasion Mustang Panda has embedded debug strings with messages to distract analysts.19 Mustang Panda has also made calls to Windows API CheckRemoteDebuggerPresent and exits if it detects a debugger.27
enterprise T1678 Delay Execution Mustang Panda has delayed the execution of payloads leveraging ping echo requests cmd /c ping 8.8.8.8 -n 70&&"%temp%\<legitimate executable>".126
enterprise T1140 Deobfuscate/Decode Files or Information Mustang Panda has the ability to decrypt its payload prior to execution.3492527 Mustang Panda has also utilized RC4 encryption for malicious payloads.2024
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Mustang Panda has developed custom malware for use in their operations.13
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Mustang Panda has encrypted C2 communications with RC4.112 Mustang Panda has also leveraged encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO.24
enterprise T1585 Establish Accounts -
enterprise T1585.002 Email Accounts Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.23 Mustang Panda has also created fake Google accounts to distribute malware via spear-phishing emails.19 Mustang Panda has also created accounts for spearphishing operations including the use of services such as Proton Mail.1011
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription Mustang Panda’s custom ORat tool uses a WMI event consumer to maintain persistence.6
enterprise T1480 Execution Guardrails Mustang Panda included the use of Cloudflare geofencing mechanisms to limit payload download activity during RedDelta Modified PlugX Infection Chain Operations.37
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Mustang Panda has used FTP to exfiltrate archive files.15
enterprise T1041 Exfiltration Over C2 Channel Mustang Panda has exfiltrated stolen data and files to its C2 server.3926
enterprise T1052 Exfiltration Over Physical Medium -
enterprise T1052.001 Exfiltration over USB Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.32
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Mustang Panda has also exfiltrated archived files to cloud services such as Dropbox using curl.1531
enterprise T1203 Exploitation for Client Execution Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.16
enterprise T1083 File and Directory Discovery Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.3215
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Mustang Panda’s PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.32 Mustang Panda has also modified file attributes to hidden and system.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.12349121518192124263528 Mustang Panda has abused legitimate executables to side-load malicious DLLs.734101120
enterprise T1574.005 Executable Installer File Permissions Weakness Mustang Panda has leveraged legitimate software installer executables such as Setup Factory “IRSetup.exe” to drop and execute their payload.18
enterprise T1070 Indicator Removal Mustang Panda has deleted registry keys that store data and maintained persistence.1
enterprise T1070.004 File Deletion Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.635
enterprise T1070.006 Timestomp Mustang Panda has modified file timestamps from the export address table (EAT) in malware to make it difficult to identify creation times.25
enterprise T1105 Ingress Tool Transfer Mustang Panda has downloaded additional executables following the initial infection stage.131226 Mustang Panda has also leveraged Visual Studio Code code.exe and Dev Tunnels using DevTunnel.exe to propagate additional tools and payloads.31
enterprise T1654 Log Enumeration Mustang Panda has used Wevtutil to gather Windows Security Event Logs.15
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Mustang Panda masqueraded Registry run keys as legitimate-looking service names such as OneNote Update during RedDelta Modified PlugX Infection Chain Operations.37
enterprise T1036.005 Match Legitimate Resource Name or Location Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX, and a file named OneDrive.exe to load a Cobalt Strike payload.12 Mustang Panda has also masqueraded legitimate browser plugin updates to include AdobePlugins.exe.20
enterprise T1036.007 Double File Extension Mustang Panda has used an additional filename extension to hide the true file type.162
enterprise T1036.008 Masquerade File Type Mustang Panda has masqueraded malicious executables as legitimate files that download PlugX malware.926
enterprise T1106 Native API Mustang Panda has used various Windows API calls during execution and defense evasion.1434101118192025273528
enterprise T1046 Network Service Discovery Mustang Panda has leveraged NBTscan to scan IP networks.15
enterprise T1095 Non-Application Layer Protocol Mustang Panda has utilized TCP-based reverse shells using cmd.exe.3
enterprise T1027 Obfuscated Files or Information Mustang Panda has delivered initial payloads hidden using archives and encoding measures.236121619212324 263528 Mustang Panda has also utilized opaque predicates in payloads to hinder analysis.1
enterprise T1027.007 Dynamic API Resolution Mustang Panda has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.1
enterprise T1027.012 LNK Icon Smuggling Mustang Panda has utilized LNK files to hide malicious scripts for execution.327 Mustang Panda has also leveraged LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.7
enterprise T1027.013 Encrypted/Encoded File Mustang Panda stored installation payloads as encrypted files in hidden folders during RedDelta Modified PlugX Infection Chain Operations.37
enterprise T1027.016 Junk Code Insertion Mustang Panda has used junk code within their DLL files to hinder analysis.132
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Mustang Panda has obtained and leveraged publicly-available tools for intrusion activities.315
enterprise T1588.003 Code Signing Certificates Mustang Panda has used revoked code signing certificates for its malicious payloads.35
enterprise T1588.004 Digital Certificates Mustang Panda has obtained SSL certificates for their C2 domains.920
enterprise T1003 OS Credential Dumping Mustang Panda utilized “Hdump” to dump credentials from memory.15
enterprise T1003.001 LSASS Memory Mustang Panda has harvested credentials from memory of lssas.exe with Mimikatz.15
enterprise T1003.003 NTDS Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.615
enterprise T1003.006 DCSync Mustang Panda has leveraged Mimikatz DCSync feature to obtain user credentials.15
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups Mustang Panda has leveraged AdFind to enumerate domain groups.15
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Mustang Panda has used spearphishing attachments to deliver initial access payloads.3734101136121421 Mustang Panda has also delivered archive files such as RAR and ZIP files containing legitimate EXEs and malicious DLLs.341011
enterprise T1566.002 Spearphishing Link Mustang Panda has delivered malicious links to their intended targets.101133 Mustang Panda has distributed spear-phishing emails with embedded links that direct the victim to a malicious archive hosted on Google or Dropbox.19
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link Mustang Panda has delivered web bugs to profile their intended targets.23
enterprise T1057 Process Discovery Mustang Panda has used tasklist /v to determine active process information.32 Mustang Panda has also used TONESHELL malware to check the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.19
enterprise T1572 Protocol Tunneling Mustang Panda has leveraged OpenSSH (sshd.exe) to execute commands, transfer files and spread across the environment communicating over SMB port 445.31
enterprise T1090 Proxy Mustang Panda proxied communication through the Cloudflare CDN service during RedDelta Modified PlugX Infection Chain Operations.37
enterprise T1219 Remote Access Tools -
enterprise T1219.001 IDE Tunneling Mustang Panda has utilized an established Github account to create a tunnel within the victim environment using Visual Studio Code through the code.exe tunnel command.31
enterprise T1219.002 Remote Desktop Software Mustang Panda has installed TeamViewer on targeted systems.6
enterprise T1018 Remote System Discovery Mustang Panda has queried Active Directory for computers using AdFind.15 Mustang Panda has also utilized SharpNBTScan to scan the victim environment.31
enterprise T1091 Replication Through Removable Media Mustang Panda has used a customized PlugX variant which could spread through USB connections.32
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.23633 Mustang Panda has also created a scheduled task that creates a reverse shell.31
enterprise T1593 Search Open Websites/Domains Mustang Panda has used open-source research to identify information about victims to use in targeting to include creating weaponized phishing lures and attachments.1011
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Mustang Panda has used China Chopper web shells to maintain access to victims’ environments.15
enterprise T1129 Shared Modules Mustang Panda has leveraged LoadLibrary to load DLLs.1
enterprise T1072 Software Deployment Tools Mustang Panda has leveraged legitimate software tools such as AntiVirus Agents, Security Services, and App Development tools to execute scripts and to side-load dlls.1518
enterprise T1518 Software Discovery Mustang Panda has searched the victim system for the InstallUtil.exe program and its version.2
enterprise T1176 Software Extensions -
enterprise T1176.002 IDE Extensions Mustang Panda has leveraged Visual Studio Code’s (VSCode) embedded reverse shell feature using the command code.exe tunnel to execute code and deliver additional payloads.31
enterprise T1608 Stage Capabilities Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.23
enterprise T1608.001 Upload Malware Mustang Panda has hosted malicious payloads on DropBox including PlugX.23
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Mustang Panda has used valid legitimate digital signatures and certificates to evade detection.734202425263528
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.004 InstallUtil Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.2
enterprise T1218.005 Mshta Mustang Panda has used mshta.exe to launch collection scripts.6
enterprise T1218.007 Msiexec Mustang Panda initial payloads downloaded a Windows Installer MSI file that in turn dropped follow-on files leading to installation of PlugX during RedDelta Modified PlugX Infection Chain Operations.37
enterprise T1218.014 MMC Mustang Panda used Microsoft Management Console Snap-In Control files, or MSC files, executed via MMC to run follow-on PowerShell commands during RedDelta Modified PlugX Infection Chain Operations.37
enterprise T1082 System Information Discovery Mustang Panda has gathered system information using systeminfo.32
enterprise T1016 System Network Configuration Discovery Mustang Panda has used ipconfig and arp to determine network configuration information.32 Mustang Panda has also utilized SharpNBTScan to scan the victim environment.31
enterprise T1049 System Network Connections Discovery Mustang Panda has used netstat -ano to determine network connection information.32
enterprise T1205 Traffic Signaling Mustang Panda has utilized a “magic packet” value in C2 communications and only executes in memory when response packets match specific values of “17 03 03” or “46 77 4d”.7
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.101116192333 Mustang Panda has also utilized webpages with Javascript code that downloads malicious payloads to the victim device.20
enterprise T1204.002 Malicious File Mustang Panda has sent malicious files requiring direct victim interaction to execute.271011323612162335 Mustang Panda has also leveraged executable files that display decoy documents to the victim to provide a resemblance of legitimacy with customized themes related to the victim.1334914181924252627
enterprise T1102 Web Service Mustang Panda has used DropBox URLs to deliver variants of PlugX.23 Mustang Panda has also used Google Drive to host malicious downloads.10
enterprise T1047 Windows Management Instrumentation Mustang Panda has executed PowerShell scripts via WMI.26

Software

ID Name References Techniques
S0552 AdFind Mustang Panda has utilized AdFind for enumerating domain groups, users, and computers.15 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S1226 BOOKWORM 425 Web Protocols:Application Layer Protocol Clipboard Data Windows Service:Create or Modify System Process Protocol or Service Impersonation:Data Obfuscation Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Hidden Window:Hide Artifacts DLL:Hijack Execution Flow Timestomp:Indicator Removal Keylogging:Input Capture Masquerade Task or Service:Masquerading Modify Registry Native API Encrypted/Encoded File:Obfuscated Files or Information Obfuscated Files or Information Code Signing:Subvert Trust Controls System Owner/User Discovery
S1237 CANONSTAGER 20 Hidden Window:Hide Artifacts DLL:Hijack Execution Flow Match Legitimate Resource Name or Location:Masquerading Native API Dynamic API Resolution:Obfuscated Files or Information Thread Local Storage:Process Injection
S0020 China Chopper Mustang Panda has used China Chopper web shells to maintain access to victims’ environments.15 Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S1236 CLAIMLOADER 1011 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Deobfuscate/Decode Files or Information Mutual Exclusion:Execution Guardrails Hidden Files and Directories:Hide Artifacts DLL:Hijack Execution Flow Component Object Model:Inter-Process Communication Match Legitimate Resource Name or Location:Masquerading Native API Dynamic API Resolution:Obfuscated Files or Information Scheduled Task:Scheduled Task/Job Malicious File:User Execution
S0154 Cobalt Strike 12612151633 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S1235 CorKLOG 35 Windows Service:Create or Modify System Process Local Data Staging:Data Staged Deobfuscate/Decode Files or Information DLL:Hijack Execution Flow Keylogging:Input Capture Encrypted/Encoded File:Obfuscated Files or Information Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls
S1230 HIUPAN 1114 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Delay Execution Hidden Files and Directories:Hide Artifacts DLL:Hijack Execution Flow Modify Registry Peripheral Device Discovery Process Discovery Replication Through Removable Media Malicious File:User Execution
S0357 Impacket Mustang Panda leveraged Impacket to gather information about the network, discover devices, users and query directories on remote machines to identify files to exfiltrate.15 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0002 Mimikatz 15 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0590 NBTscan 615 Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S1233 PAKLOG 35 Application Window Discovery Clipboard Data Local Data Staging:Data Staged DLL:Hijack Execution Flow Keylogging:Input Capture Native API Encrypted/Encoded File:Obfuscated Files or Information Process Discovery Code Signing:Subvert Trust Controls System Time Discovery
S0013 PlugX 12693212162326 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Local Data Staging:Data Staged Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts DLL:Hijack Execution Flow Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Local Storage Discovery Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Non-Standard Port Binary Padding:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Reflective Code Loading Replication Through Removable Media Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Location Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery MSBuild:Trusted Developer Utilities Proxy Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0012 PoisonIvy 11216 Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Active Setup:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S1228 PUBLOAD 3734101114192538 File Transfer Protocols:Application Layer Protocol Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Protocol or Service Impersonation:Data Obfuscation Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Environmental Keying:Execution Guardrails Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol DLL:Hijack Execution Flow Ingress Tool Transfer Local Storage Discovery Match Legitimate Resource Name or Location:Masquerading Native API Compression:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Query Registry Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Software Discovery Code Signing:Subvert Trust Controls System Information Discovery System Language Discovery:System Location Discovery Wi-Fi Discovery:System Network Configuration Discovery System Network Configuration Discovery Internet Connection Discovery:System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Traffic Signaling Windows Management Instrumentation
S0662 RCSession 6 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Encrypted Channel DLL:Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Masquerading Modify Registry Native API Non-Application Layer Protocol Compression:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Process Discovery Process Hollowing:Process Injection Screen Capture Msiexec:System Binary Proxy Execution System Information Discovery System Owner/User Discovery
S0596 ShadowPad 15 DNS:Application Layer Protocol File Transfer Protocols:Application Layer Protocol Web Protocols:Application Layer Protocol Non-Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Indicator Removal Ingress Tool Transfer Local Storage Discovery Modify Registry Non-Application Layer Protocol Fileless Storage:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Process Injection Dynamic-link Library Injection:Process Injection Scheduled Transfer System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery
S1234 SplatCloak 35 File and Directory Discovery Disable or Modify Tools:Impair Defenses Invalid Code Signature:Masquerading Native API Security Software Discovery:Software Discovery System Information Discovery
S1232 SplatDropper 35 Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information DLL:Hijack Execution Flow Clear Persistence:Indicator Removal Native API Dynamic API Resolution:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Code Signing:Subvert Trust Controls
S1227 StarProxy 28 Command and Scripting Interpreter Protocol or Service Impersonation:Data Obfuscation Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel DLL:Hijack Execution Flow Native API Non-Application Layer Protocol Internal Proxy:Proxy System Time Discovery
S1238 STATICPLUGIN 20 Component Object Model:Inter-Process Communication Masquerade File Type:Masquerading Match Legitimate Resource Name or Location:Masquerading Code Signing:Subvert Trust Controls Malicious File:User Execution
S1239 TONESHELL 71113151819292831 Create Process with Token:Access Token Manipulation Account Discovery Web Protocols:Application Layer Protocol Application Window Discovery Archive via Utility:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Non-Standard Encoding:Data Encoding Protocol or Service Impersonation:Data Obfuscation Debugger Evasion Delay Execution Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Environmental Keying:Execution Guardrails Execution Guardrails Mutual Exclusion:Execution Guardrails DLL:Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Inter-Process Communication Local Storage Discovery Match Legitimate Resource Name or Location:Masquerading Masquerade Task or Service:Masquerading Native API Non-Application Layer Protocol Dynamic API Resolution:Obfuscated Files or Information Binary Padding:Obfuscated Files or Information LNK Icon Smuggling:Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls Regsvr32:System Binary Proxy Execution Mavinject:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Traffic Signaling User Activity Based Checks:Virtualization/Sandbox Evasion Windows Management Instrumentation
S0645 Wevtutil Mustang Panda has leveraged Wevtutil to gather information about usernames and Windows Security Event logs.15 Data from Local System Disable Windows Event Logging:Impair Defenses Clear Windows Event Logs:Indicator Removal

References

  1. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  2. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  3. Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025. 

  4. Broadcom Protection Bulletins. (2025, February 20). Bookworm malware linked to Fireant (aka Stately Tarurus) activity observed in Southeast Asia. Retrieved July 21, 2025. 

  5. Cohen, Itay. Madej, Radoslaw. Threat Intelligence Team. (2023, May 16). THE DRAGON WHO SOLD HIS CAMARO: ANALYZING CUSTOM ROUTER IMPLANT. Retrieved December 26, 2023. 

  6. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  7. CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025. 

  8. EclecticIQ Threat Research Team. (2023, February 2). Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware. Retrieved September 9, 2025. 

  9. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025. 

  10. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. 

  11. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. 

  12. Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025. 

  13. Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025. 

  14. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. 

  15. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. 

  16. Microsoft. (2025, September 8). How Microsoft names threat actors. Retrieved September 10, 2025. 

  17. Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025. 

  18. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025. 

  19. Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025. 

  20. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021. 

  21. PWC UK. (2021, February 28). Cyber Threats 2020: A Year in Retrospect. Retrieved October 15, 2025. 

  22. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  23. Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025. 

  24. Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025. 

  25. Secureworks Counter Threat Unit Research Team. (2022, April 27). BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX. Retrieved September 9, 2025. 

  26. Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025. 

  27. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025. 

  28. Sunny Lu, Vickie Su, Nick Dai. (2023, June 14). Behind the Scenes: Unveiling the Hidden Workings of Earth Preta. Retrieved September 10, 2025. 

  29. The BlackBerry Research and Intelligence Team. (2022, October 6). Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims. Retrieved October 14, 2025. 

  30. Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025. 

  31. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. 

  32. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. 

  33. Dex. (n.d.). New Mustang Panda’s campaing against Australia. Retrieved August 4, 2025. 

  34. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025. 

  35. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022. 

  36. Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025. 

  37. Unit42. (2024, March 26). ASEAN Entities in the Spotlight: Chinese APT Group Targeting. Retrieved August 4, 2025.