Mustang Panda

Threat Actor updated 3 days ago (2024-09-10T16:17:46.975Z)
Download STIX
Preview STIX
Mustang Panda, also known by various aliases such as Bronze President, Luminous Moth, and Camaro Dragon among others, is a threat actor believed to operate from Chengdu, China. The group has been publicly linked to APT41 and other Chinese groups such as the Tonto Team. Known for its rapid attacks and custom malware, Mustang Panda has targeted numerous government entities in the Asia-Pacific region through spear-phishing campaigns and multistage downloaders that deliver malware. The group has demonstrated a recurrent revision of command and control infrastructure, suggesting persistent targeting of diplomatic and religious organizations. In recent campaigns, Mustang Panda has notably used a self-propagating worm, a novel tactic for the group, to deliver malware called PUBLOAD. This malware is delivered via USB drives, a strategy that saw a resurgence during and in the wake of the COVID-19 pandemic. Along with PUBLOAD, Mustang Panda introduces supplemental tools into the targets' environment, such as FDMTP, which serves as a secondary control tool, and PTSOCKET, an alternative exfiltration option. Trend Micro has found evidence of Mustang Panda exploiting Microsoft's cloud services for data exfiltration. In one case, sideloading components from Mustang Panda were observed in the same directory as files from the original threat actor. Associated with the BRONZE PRESIDENT phishing lure delivering PlugX, the group has deployed a variety of remote access tools, including modified DLL files used by BRONZE PRESIDENT to install RCSession and Nbtscan use and net commands. These tactics underline the group's adaptability and sophistication in executing cyber-attacks.
Description last updated: 2024-09-10T16:15:42.053Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Camaro Dragon
6
Camaro Dragon, a Chinese state-sponsored threat actor also known as Stately Taurus, Mustang Panda, Bronze President, Red Delta, Luminous Moth, and Earth Preta, has been active since at least 2012. In 2023, Checkpoint Research discovered a custom firmware image linked to Camaro Dragon that contained
Stately Taurus
5
Stately Taurus is a sophisticated malware associated with a Chinese Advanced Persistent Threat (APT) group that conducts cyberespionage campaigns. This group has been observed targeting government entities, as well as religious and non-governmental organizations across Europe and Asia. The malware i
RedDelta
5
RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activ
LuminousMoth
4
LuminousMoth is a threat actor with ties to HoneyMyte, as evidenced by their similar targeting and Tactics, Techniques, and Procedures (TTPs). These include the use of DLL side-loading, Cobalt Strike loaders, and Chrome cookie stealers. The malware's operation begins with the execution of "explorer.
BRONZE PRESIDENT
4
Bronze President, a Chinese-state-sponsored APT group also known as Mustang Panda, has been identified as a significant threat actor in data theft campaigns. The group has deployed a variety of remote access tools, including Cobalt Strike and RCSession, to steal data from targeted organizations. Bro
Honeymyte
3
HoneyMyte, also known as Mustang Panda, is a notable threat actor in the cybersecurity landscape. This group has been linked to various malicious activities, including the use of DLL side-loading and Cobalt Strike loaders, similar to the tactics, techniques, and procedures (TTPs) employed by another
Earth Preta
3
Earth Preta, also known as Mustang Panda, is a threat actor group that has been operational since at least 2012. The group has been highly active in Europe and Asia, with particular emphasis on the Asia-Pacific (APAC) region. Earth Preta employs several tools and commands for the Command and Control
APT41
2
APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various
BlackTech
2
BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privat
TA416
2
TA416 is an advanced persistent threat (APT) group that targets organizations globally with customized versions of the PlugX malware. TA416 has used a distinct installation method of a PE dropper to retrieve Trident loaded payload components using a legitimate PE and a DLL loader file to load a Plug
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Espionage
Backdoor
Phishing
Malware
Implant
Chinese
State Sponso...
Eset
Government
Loader
Rat
Trojan
Worm
Payload
Reconnaissance
Tool
Windows
China
Decoy
Firmware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
PlugXUnspecified
5
PlugX is a type of malware, specifically a Remote Access Trojan (RAT), that has been utilized by various threat groups, including the Chinese government-sponsored group known as Winnti. This malicious software exploits and damages computer systems, often infiltrating them through suspicious download
KorplugUnspecified
2
Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
DoplugsUnspecified
2
DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U
Iron TaurusUnspecified
2
Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
Ke3changUnspecified
4
Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang
APT27Unspecified
4
APT27, also known as Iron Taurus, is a threat actor group suspected to be attributed to China. Engaging in cyber operations with the primary goal of intellectual property theft, APT27 targets organizations globally, with a focus on North and South America, Europe, and the Middle East. The group's mo
WinntiUnspecified
3
The Winnti Group is a sophisticated threat actor that has been active since at least 2007, first identified by Kaspersky in 2013. This collective of Chinese nation-state hackers is known for its advanced cyberespionage capabilities and its unique strategy of targeting legitimate software supply chai
GALLIUMUnspecified
2
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
APT31Unspecified
2
APT31, also known as Zirconium, is a threat actor group linked to the Chinese government that has been implicated in numerous cyber espionage activities. One of their most notable exploits was the cloning of the Equation Group's exploit, EpMe (CVE-2017-0005). This exploit was initially discovered du
APT30Unspecified
2
APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source c
Source Document References
Information about the Mustang Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a day ago
Microsoft VS Code Undermined in Asian Spy Attack
DARKReading
4 days ago
Mustang Panda Feeds Worm-Driven USB Attack Strategy
Securityaffairs
a month ago
China-linked APT41 breached Taiwanese research institute
DARKReading
3 months ago
China-Linked Espionage Groups Target Asian Telecoms
Securityaffairs
3 months ago
China-linked spies target Asian Telcos since at least 2021
ESET
3 months ago
ESET Research Podcast: APT Activity Report Q4 2023–Q1 2024
DARKReading
3 months ago
Chinese Threat Clusters Triple-Team High-Profile Asian Government Org
ESET
4 months ago
Introducing Nimfilt: A reverse-engineering tool for Nim-compiled binaries
BankInfoSecurity
4 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
4 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
ESET
4 months ago
ESET APT Activity Report Q4 2023–Q1 2024
DARKReading
5 months ago
Philippines Pummeled by Cyberattacks & Misinformation Tied to China
Securityaffairs
5 months ago
Misinformation and hacktivist campaigns targeting the Philippines skyrocket
DARKReading
5 months ago
Japan, Philippines, US to Share Cyber Threat Intel
DARKReading
6 months ago
Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents
CERT-EU
7 months ago
Sophisticated PlugX backdoor variant leveraged in Mustang Panda attacks
CERT-EU
7 months ago
New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS
Securityaffairs
7 months ago
New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS
Trend Micro
7 months ago
Earth Preta Campaign Uses DOPLUGS to Target Asia
ESET
8 months ago
NSPX30: A sophisticated AitM-enabled implant evolving since 2005