TA416

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
TA416 is an advanced persistent threat (APT) group that targets organizations globally with customized versions of the PlugX malware. TA416 has used a distinct installation method of a PE dropper to retrieve Trident loaded payload components using a legitimate PE and a DLL loader file to load a PlugX payload, which remains constant even though the components in this infection chain are regularly changing. This APT group has been known by several names such as Mustang Panda, Red Lich, Earth Preta, HoneyMyte, and Bronze President, Camaro Dragon, and LuminousMoth. In 2020, there were several espionage campaigns carried out by China's TA416 against Catholic Church and diplomatic groups, indicating a pattern of cyber espionage. Additionally, there have been other APTs with similar tactics, techniques, and procedures (TTPs), such as the Winter Vivern APT, which resurfaced after two years of hibernation. In late 2021, a Russian-aligned attacker took down the Vatican website in a suspected hacker attack. The discovery of a TA416 malware campaign during an investigation into an attack on a healthcare institution in Europe shed light on the activities of this APT group. The campaign involved the use of a Zip file with a geopolitically themed title shared with a PDF decoy that would later be downloaded as part of the infection chain. While this campaign's tactics are highly similar to the Trident Loader method used by TA416 in previous campaigns, the components in the infection chain regularly change.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Mustang Panda
2
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Malware Loader
Payload
Proofpoint
Phishing
Reconnaissance
Decoy
Golang
Windows
Loader
Trojan
bugs
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PlugXUnspecified
2
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BRONZE PRESIDENTUnspecified
1
Bronze President, a Chinese-state-sponsored APT group also known as Mustang Panda, has been identified as a significant threat actor in data theft campaigns. The group has deployed a variety of remote access tools, including Cobalt Strike and RCSession, to steal data from targeted organizations. Bro
RedDeltaUnspecified
1
RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activ
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TA416 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Chinese Espionage Malware Targets European Healthcare via USB Drives
CERT-EU
a year ago
Informe: Los ciberdelincuentes están escalando técnicas poco comunes | Diario TI
CERT-EU
a year ago
Proofpoint pubblica il report Human Factor 2023: i cybercriminali scalano e fanno un uso sempre più esteso di strumenti e tecniche non comuni | Il corriere della sicurezza
MITRE
a year ago
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates | Proofpoint US
MITRE
a year ago
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader | Proofpoint US
CERT-EU
a year ago
Китайские хакеры Mustang Panda используют свежесозданный бэкдор для продвинутого уклонения от обнаружения
CERT-EU
a year ago
Chinese Hackers Are Using a New Backdoor to Deploy Malware | IT Security News
CERT-EU
a year ago
Chinese Hackers Are Using a New Backdoor to Deploy Malware
DARKReading
a year ago
The Pope's Security Gets a Boost With Vatican's MDM Move