Mustang Panda

Threat Actor Profile Updated 6 days ago
Download STIX
Preview STIX
Mustang Panda, also known as Earth Preta, Camaro Dragon, Bronze President, TA416, and Stately Taurus, is a Chinese state-backed advanced persistent threat (APT) group known for its malicious cyber activities. The group has targeted numerous countries across Asia, including Taiwan, Vietnam, India, Japan, and China with sophisticated information warfare campaigns. In one notable incident last year, Mustang Panda compromised a Philippines government agency using a simple side-loading technique amid a military buildup in the region. The group employs a variety of techniques such as phishing lures, modified DLL files, and remote access tools to execute their attacks. The group's activities have been linked to other APT groups, showing a shared operational infrastructure among Chinese nation-state threat actors. For instance, during Operation Diplomatic Specter, the activity originated from an infrastructure exclusively used by Chinese APTs like Iron Taurus (aka APT27), Starchy Taurus (aka Winnti), and Mustang Panda itself. In another case, sideloading components from two other APT groups, Mustang Panda and LuminousMoth, were observed in the same directory as files from the original threat actor. Furthermore, a new China-aligned APT group, CeranaKeeper, was introduced, which shares unique traits and possibly a digital quartermaster with the Mustang Panda group. Despite the complexity and sophistication of its operations, Mustang Panda's victim list rivals that of other notorious APT groups like Volt Typhoon and BlackTech. The group primarily uses a variant of the PlugX malware, dubbed DOPLUGS, to infiltrate systems and networks. In February 2024, Mustang Panda targeted various Asian countries with this backdoor. Trend Micro researchers uncovered a cyberespionage campaign carried out by Mustang Panda, targeting Asian countries including Taiwan, Vietnam, and Malaysia, further demonstrating the group's extensive reach and persistent threat.
What's your take? (Question 1 of 5)
718db09a-1d06-471d-9280-1a2f1b3c79b0 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Camaro Dragon
6
Camaro Dragon, a Chinese state-sponsored Advanced Persistent Threat (APT) group also known as Mustang Panda, Bronze President, Red Delta, Luminous Moth, Earth Preta, and Stately Taurus, has been operational since at least 2012. Checkpoint Research has analyzed a custom firmware image affiliated with
Stately Taurus
5
Stately Taurus, also known as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, is a malicious software (malware) that has been active since at least 2012. It is associated with a Chinese Advanced Persistent Threat (APT) group and is believed to have originate
RedDelta
5
RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activ
LuminousMoth
4
LuminousMoth is a threat actor with ties to HoneyMyte, as evidenced by their similar targeting and Tactics, Techniques, and Procedures (TTPs). These include the use of DLL side-loading, Cobalt Strike loaders, and Chrome cookie stealers. The malware's operation begins with the execution of "explorer.
BRONZE PRESIDENT
4
Bronze President, a Chinese-state-sponsored APT group also known as Mustang Panda, has been identified as a significant threat actor in data theft campaigns. The group has deployed a variety of remote access tools, including Cobalt Strike and RCSession, to steal data from targeted organizations. Bro
Honeymyte
3
HoneyMyte, also known as Mustang Panda, is a notable threat actor in the cybersecurity landscape. This group has been linked to various malicious activities, including the use of DLL side-loading and Cobalt Strike loaders, similar to the tactics, techniques, and procedures (TTPs) employed by another
TA416
2
TA416 is an advanced persistent threat (APT) group that targets organizations globally with customized versions of the PlugX malware. TA416 has used a distinct installation method of a PE dropper to retrieve Trident loaded payload components using a legitimate PE and a DLL loader file to load a Plug
BlackTech
2
BlackTech, a China-linked Advanced Persistent Threat (APT) group, is a significant cybersecurity concern due to its sophisticated techniques and targeted attacks. This threat actor primarily focuses on infiltrating technology and government organizations in the Asia-Pacific region, using a malware f
Taurus
2
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Espionage
Backdoor
Phishing
Malware
Implant
Chinese
State Sponso...
Eset
Government
Loader
Rat
Trojan
Payload
China
Decoy
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PlugXUnspecified
5
PlugX is a notorious malware, often used by various threat groups in their cyberattacks. It has been linked to several high-profile activities, such as those of the Winnti group and the LockFile ransomware activity. This Remote Access Trojan (RAT) employs sophisticated techniques like DLL side-loadi
Iron TaurusUnspecified
2
Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio
KorplugUnspecified
2
Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
DoplugsUnspecified
2
DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Ke3changUnspecified
4
Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang
APT27Unspecified
4
APT27, also known as Iron Taurus, is a threat actor suspected to be originating from China. The group primarily engages in cyber operations with the goal of intellectual property theft, targeting organizations globally including those in North and South America, Europe, and the Middle East. APT27 ut
WinntiUnspecified
3
Winnti, also known as Starchy Taurus, APT41, Axiom, Barium, Blackfly, and HOODOO, is a prominent threat actor originating from China. The group has been active since at least 2007 and is notorious for its sophisticated cyberespionage campaigns. The group's activities have been linked to a shared Chi
GALLIUMUnspecified
2
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
APT31Unspecified
2
APT31, also known as Zirconium, is a threat actor group believed to be sponsored by the Chinese government. This group has been implicated in various cyber espionage activities across the globe. One of their notable exploits includes the cloning and use of an Equation Group exploit, EpMe (CVE-2017-0
APT41Unspecified
2
APT41, also known as Winnti, Wicked Panda, Barium, Suckfly, Earth Freybug, and Daggerfly, is a China-attributed threat actor that has been active since at least 2012. The group has targeted organizations across at least 14 countries, focusing on entities in the South China Sea region. APT41's activi
APT30Unspecified
2
APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source c
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Mustang Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates | Proofpoint US
CERT-EU
a year ago
Proofpoint pubblica il report Human Factor 2023: i cybercriminali scalano e fanno un uso sempre più esteso di strumenti e tecniche non comuni | Il corriere della sicurezza
CERT-EU
a year ago
Informe: Los ciberdelincuentes están escalando técnicas poco comunes | Diario TI
DARKReading
a year ago
The Pope's Security Gets a Boost With Vatican's MDM Move
BankInfoSecurity
5 days ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
CERT-EU
a year ago
TP-Link routers provide entry point for Chinese hackers
DARKReading
2 months ago
Japan, Philippines, US to Share Cyber Threat Intel
Checkpoint
a year ago
26th June – Threat Intelligence Report - Check Point Research
MITRE
a year ago
BRONZE PRESIDENT Targets NGOs
CERT-EU
a year ago
Hacker’s Playbook Threat Coverage Roundup: March 28, 2023
BankInfoSecurity
a year ago
Cyberattacks on Taiwan Surge Amid Chinese Aggression
MITRE
a year ago
China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations
CERT-EU
10 months ago
Stay informed with threat reports
ESET
4 days ago
Introducing Nimfilt: A reverse-engineering tool for Nim-compiled binaries
CERT-EU
a year ago
Chinese Hackers Are Using a New Backdoor to Deploy Malware | IT Security News
Unit42
6 days ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Checkpoint
a year ago
Malware Spotlight: Camaro Dragon’s TinyNote Backdoor - Check Point Research
CERT-EU
a year ago
Chinese Hackers Are Using a New Backdoor to Deploy Malware
MITRE
6 months ago
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Securityaffairs
a year ago
SmugX: Chinese APT uses HTML smuggling to target European Ministries and embassies