Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home APT

Mustang Panda (APT) – Threat Actor

May 14, 2024
Reading Time: 6 mins read
in APT, Threat Actors
Mustang Panda (APT) – Threat Actor

Mustang Panda

Other Names

BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Polaris, Red Lich, Stately Taurus, TA416, TANTALUM, TEMP.HEX, Twill Typhoon, Camaro Dragon, RedDelta

Location

China

Date of Initial Activity

2011

Suspected Attribution

Chinese state-sponsored espionage group

Motivation

Cyber-espionage driven by a combination of political, economic, and strategic motivations aimed at bolstering China’s national interests on the global stage. Cyberwarfare

Associated Tools

Cobalt Strike
PlugX
PoisonIvy
RCSession
NBTscan
Zebrocy
Dtrack
Koadic
Sakura
Havoc
Metasploit

Systems Targeted

Windows

Active

Yes

Overview

Mustang Panda is a notable cyber espionage group believed to operate out of China, specializing in targeted attacks against government agencies, non-governmental organizations (NGOs), and other entities across multiple countries globally. First observed in 2017, but potentially active since 2014, the group has gained infamy for its sophisticated tactics and persistent targeting of sensitive sectors including defense, diplomacy, and human rights advocacy. The group’s operational scope spans a wide geographical range, targeting organizations in the United States, Europe, Mongolia, Myanmar, Pakistan, Vietnam, and likely others. Their targets typically include entities involved in political affairs, international relations, and humanitarian causes, suggesting a strategic interest in geopolitical intelligence and influence. Mustang Panda’s operational playbook involves leveraging advanced techniques such as spearphishing campaigns tailored to specific targets. These campaigns often involve the distribution of malicious attachments or links designed to exploit vulnerabilities and gain initial access to targeted systems. Once inside a network, they deploy a variety of tools and tactics to maintain persistence and exfiltrate sensitive data discreetly. To ensure ongoing access, Mustang Panda utilizes sophisticated methods like creating registry keys for autostart capabilities, employing PowerShell scripts for automation, and exploiting legitimate remote access tools such as TeamViewer. They also demonstrate a proficiency in evading detection through techniques like DLL side-loading, masquerading using legitimate file names, and encrypting communications to conceal malicious activities. The group’s use of advanced malware strains and their ability to adapt quickly to security measures make them a persistent threat in the cybersecurity landscape. Their operations are characterized by a high level of organization, technical expertise, and strategic targeting aligned with state-sponsored cyber espionage objectives.

Common targets

Government Entities, Non-Governmental Organizations (NGOs), Religious Organizations, Think Tanks, Academic Institutions, Private Sector, Political Entities in the United States, Philippines Mongolia, Myanmar, Pakistan, Bangladesh, India, Japan, South Korea, Vietnam.

Attack Vectors

Mustang Panda employs a variety of attack vectors to compromise their targets, focusing primarily on spear-phishing emails that deliver malicious attachments or links.

How they operate

Initial Access and Execution Techniques Mustang Panda frequently initiates attacks through spear-phishing campaigns, sending meticulously crafted emails that contain malicious attachments or links. These phishing attempts are designed to exploit vulnerabilities in the victim’s environment, often utilizing zero-day exploits or social engineering tactics to ensure high success rates. Once the victim interacts with the phishing content, the threat actor deploys their malware, which may be executed via command-line interfaces or PowerShell scripts. PowerShell, in particular, is a favored tool due to its powerful scripting capabilities and the ability to execute commands without raising immediate suspicion. Persistence and Privilege Escalation To maintain a foothold within compromised systems, Mustang Panda employs several persistence mechanisms. They often utilize Windows Registry keys or startup folders to ensure their malware is executed upon system reboot. Additionally, creating or modifying scheduled tasks allows them to execute their payloads at predetermined intervals, circumventing standard detection mechanisms. For privilege escalation, Mustang Panda leverages known vulnerabilities or exploits to gain elevated privileges on the system. Techniques such as exploiting unpatched software vulnerabilities are common, allowing them to perform actions that would otherwise be restricted. Defense Evasion and Credential Access Mustang Panda is adept at evading detection using a variety of defense evasion techniques. Obfuscation plays a critical role in their operations; they employ methods to hide malicious files and scripts from traditional antivirus solutions and security monitoring tools. This may involve encoding or encrypting their payloads to prevent them from being flagged. Masquerading techniques are also used to disguise the presence of their malicious activities, making it difficult for security analysts to identify and differentiate between legitimate and malicious processes. For credential access, Mustang Panda utilizes credential dumping tools to extract sensitive information from compromised systems. This includes extracting credentials stored in memory or other system repositories, which can then be used to move laterally within the network or escalate their privileges further. The ability to harvest and reuse credentials is crucial for maintaining long-term access and expanding their control over the targeted environment. Lateral Movement, Discovery, and Exfiltration Once inside a network, Mustang Panda employs lateral movement techniques such as Remote Desktop Protocol (RDP) to navigate and compromise additional systems. They are meticulous in their discovery phase, gathering information about the network, system configurations, and available data repositories. This information is critical for planning further actions and targeting valuable assets within the organization. For data exfiltration, Mustang Panda often channels stolen data over command and control (C2) channels, employing encryption to avoid detection by network monitoring tools. Their exfiltration techniques are designed to blend in with regular network traffic, minimizing the risk of discovery while ensuring that critical data is siphoned out of the compromised environment. interaction.

MITRE ATT&CK Techniques

T1583.001 – Acquire Infrastructure: Domains T1071.001 – Application Layer Protocol: Web Protocols T1560.001 – Archive Collected Data: Archive via Utility T1560.003 – Archive Collected Data: Archive via Custom Method T1119 – Automated Collection T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1059.001 – Command and Scripting Interpreter: PowerShell T1059.003 – Command and Scripting Interpreter: Windows Command Shell T1059.005 – Command and Scripting Interpreter: Visual Basic T1074.001 – Data Staged: Local Data Staging T1573.001 – Encrypted Channel: Symmetric Cryptography T1585.002 – Establish Accounts: Email Accounts T1546.003 – Event Triggered Execution: Windows Management Instrumentation Event Subscription T1052.001 – Exfiltration Over Physical Medium: Exfiltration over USB T1203 – Exploitation for Client Execution T1083 – File and Directory Discovery T1564.001 – Hide Artifacts: Hidden Files and Directories T1574.002 – Hijack Execution Flow: DLL Side-Loading T1070.004 – Indicator Removal: File Deletion T1105 – Ingress Tool Transfer T1036.005 – Masquerading: Match Legitimate Name or Location T1027.001 – Obfuscated Files or Information: Binary Padding T1003.003 – OS Credential Dumping: NTDS T1566.001 – Phishing: Spearphishing Attachment T1598.003 – Phishing for Information: Spearphishing Link T1057 – Process Discovery T1219 – Remote Access Software T1091 – Replication Through Removable Media T1053.005 – Scheduled Task/Job: Scheduled Task T1518 – Software Discovery T1608.001 – Stage Capabilities: Upload Malware T1218.004 – System Binary Proxy Execution: InstallUtil T1218.005 – System Binary Proxy Execution: Mshta T1082 – System Information Discovery T1016 – System Network Configuration Discovery T1049 – System Network Connections Discovery T1204.001 – User Execution: Malicious Link T1204.002 – User Execution: Malicious File T1102 – Web Service T1047 – Windows Management Instrumentation

Significant Attacks and Campaigns

  • CSIRT-CTI has identified two campaigns exhibiting strong indications of being connected to Stately Taurus (alias Bronze President, Camaro Dragon, Earth Preta, Mustang Panda, Red Delta and Luminous Moth), both assessed to have targeted the Myanmar Ministry of Defence and Foreign Affairs. (January 2024)
  • An advanced persistent threat (APT) group suspected with moderate-high confidence to be Stately Taurus engaged in a number of cyberespionage intrusions targeting a government in Southeast Asia. This group is also known by several aliases, including Mustang Panda, BRONZE PRESIDENT, TA416, RedDelta and Earth Preta. (September 2023)

References

  • What Is Mustang Panda Malware?
  • Mustang Panda
  • MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT
  • Panda Goes Full Global
  • Earth Preta Spear-Phishing Governments Worldwide
  • Chinese APT Bronze President Mounts Spy Campaign on Russian Military
  • Mustang Panda APT Targets Europe with Plugx Malware
  • Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims
  • Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA
 
Tags: APTChinaEuropeGovernmentMustang PandaMyanmarPakistanPhishingPowerShellThreat ActorsUnited StatesVietnam
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

New OttoKit Flaw Targets WordPress Sites

Mirai Botnet Exploits Vulnerabilities in IoT

Critical Kibana Flaws Allows Code Execution

Subscribe to our newsletter

    Latest Incidents

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    UK Legal Aid Agency Faces Cyber Incident

    South African Airways Hit by Cyberattack

    Coweta County School System Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial