Mustang Panda

Threat Actor updated a month ago (2024-10-15T10:02:51.736Z)

Download STIX

Preview STIX

Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modified DLL files for installing RCSession. This group also exhibited the use of a variety of remote access tools and net commands. Furthermore, evidence of Mustang Panda's involvement was observed in Case 4, where sideloading components from this group were found alongside those from two other APT groups, LuminousMoth and CeranaKeeper, in the same directory. The newly uncovered APT group, CeranaKeeper, which targets governmental institutions in Thailand, was found to leverage some tools previously attributed to Mustang Panda. However, ESET's analysis revealed technical differences between the two entities, suggesting that they are distinct. Despite some of CeranaKeeper’s activities initially being attributed to Mustang Panda by multiple cybersecurity firms, it was decided to track this activity cluster separately due to these differences. Both Mustang Panda and CeranaKeeper have been linked to the Chinese government, supporting its activities through espionage and other cybercrimes. Further analysis showed that CeranaKeeper was using components common with Mustang Panda, along with new tools aimed at exploiting legitimate file-sharing services such as Pastebin, Dropbox, OneDrive, and GitHub. These tools were used to execute commands on compromised computers and exfiltrate sensitive documents. The goal of these groups is to harvest as many files as possible, developing specific components to achieve this end. Other China-linked groups, including Mustang Panda, have been known to specifically target communication service providers, especially in Taiwan and other countries of interest.

Description last updated: 2024-10-15T09:15:47.494Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Stately Taurus is a possible alias for Mustang Panda. Stately Taurus, also known as Mustang Panda, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta, is a sophisticated malware that has been used in cyber-espionage campaigns primarily targeting government entities in Southeast Asia. It is believed to be associated with China's	6
Camaro Dragon is a possible alias for Mustang Panda. Camaro Dragon, a Chinese state-sponsored threat actor also known as Mustang Panda, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Stately Taurus, has been identified as a significant cybersecurity concern. The group has been active since at least 2012 and is known for its sophisticated	6
RedDelta is a possible alias for Mustang Panda. RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activ	5
Earth Preta is a possible alias for Mustang Panda. Earth Preta, also known as Mustang Panda or Stately Taurus, is a high-profile threat actor group that has been actively executing cyberattacks with malicious intent. Their activities have been particularly prevalent in the Asia Pacific (APAC) region and Europe. The group employs a variety of tools a	4
LuminousMoth is a possible alias for Mustang Panda. LuminousMoth is a threat actor group with potential affiliations to a Chinese-speaking entity, exhibiting similar targeting and Tactics, Techniques, and Procedures (TTPs) as the HoneyMyte group. These similarities include the use of DLL side-loading, Cobalt Strike loaders, and a component akin to Lu	4
BRONZE PRESIDENT is a possible alias for Mustang Panda. Bronze President, a Chinese-state-sponsored APT group also known as Mustang Panda, has been identified as a significant threat actor in data theft campaigns. The group has deployed a variety of remote access tools, including Cobalt Strike and RCSession, to steal data from targeted organizations. Bro	4
Winnti is a possible alias for Mustang Panda. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such	3
Honeymyte is a possible alias for Mustang Panda. HoneyMyte, also known as Mustang Panda, is a notable threat actor in the cybersecurity landscape. This group has been linked to various malicious activities, including the use of DLL side-loading and Cobalt Strike loaders, similar to the tactics, techniques, and procedures (TTPs) employed by another	3
BlackTech is a possible alias for Mustang Panda. BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privat	2
APT41 is a possible alias for Mustang Panda. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	2
TA416 is a possible alias for Mustang Panda. TA416 is an advanced persistent threat (APT) group that targets organizations globally with customized versions of the PlugX malware. TA416 has used a distinct installation method of a PE dropper to retrieve Trident loaded payload components using a legitimate PE and a DLL loader file to load a Plug	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Backdoor

Malware

Espionage

Phishing

Implant

Eset

Chinese

China

State Sponso...

Government

Loader

Rat

Trojan

Reconnaissance

Payload

Tool

Windows

Firmware

Worm

Decoy

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The PlugX Malware is associated with Mustang Panda. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	5
The Korplug Malware is associated with Mustang Panda. Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in	Unspecified	2
The Doplugs Malware is associated with Mustang Panda. DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U	Unspecified	2
The Iron Taurus Malware is associated with Mustang Panda. Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Ke3chang Threat Actor is associated with Mustang Panda. Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang	Unspecified	4
The APT27 Threat Actor is associated with Mustang Panda. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the	Unspecified	4
The GALLIUM Threat Actor is associated with Mustang Panda. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tar	Unspecified	2
The APT31 Threat Actor is associated with Mustang Panda. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by	Unspecified	2
The APT30 Threat Actor is associated with Mustang Panda. APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source c	Unspecified	2

Source Document References

Information about the Mustang Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	2 months ago	The complexities of cyberattack attribution – Week in security with Tony Anscombe
InfoSecurity-magazine	2 months ago	CeranaKeeper Emerges as New Threat to Thai Government Networks
ESET	2 months ago	Separating the bee from the panda: CeranaKeeper making a beeline for Thailand
DARKReading	2 months ago	China-Backed APT Group Culling Thai Government Data
DARKReading	2 months ago	Python-Based Malware Slithers Into Systems via Legit VS Code
DARKReading	2 months ago	China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs
Checkpoint	2 months ago	10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More - Check Point Research
DARKReading	2 months ago	Microsoft VS Code Undermined in Asian Spy Attack
DARKReading	2 months ago	Mustang Panda Feeds Worm-Driven USB Attack Strategy
Securityaffairs	4 months ago	China-linked APT41 breached Taiwanese research institute
DARKReading	5 months ago	China-Linked Espionage Groups Target Asian Telecoms
Securityaffairs	5 months ago	China-linked spies target Asian Telcos since at least 2021
ESET	5 months ago	ESET Research Podcast: APT Activity Report Q4 2023–Q1 2024
DARKReading	6 months ago	Chinese Threat Clusters Triple-Team High-Profile Asian Government Org
ESET	6 months ago	Introducing Nimfilt: A reverse-engineering tool for Nim-compiled binaries
BankInfoSecurity	6 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	6 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
ESET	6 months ago	ESET APT Activity Report Q4 2023–Q1 2024
DARKReading	7 months ago	Philippines Pummeled by Cyberattacks & Misinformation Tied to China
Securityaffairs	7 months ago	Misinformation and hacktivist campaigns targeting the Philippines skyrocket