Mustang Panda

Also known as: Mustang Panda, TA416, RedDelta, BRONZE PRESIDENT, STATELY TAURUS, FIREANT, CAMARO DRAGON, EARTH PRETA, HIVE0154, TWILL TYPHOON, TANTALUM, LUMINOUS MOTH, UNC6384, TEMP.Hex, Red Lich, Stately Taurus, Camaro Dragon, HoneyMyte, TEMP.HEX, BASIN, Earth Preta, LuminousMoth, Polaris, Twill Typhoon, MUSTANG PANDA, Vertigo Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. BlackBerry MUSTANG PANDA October 2022 Eset PlugX Korplug Mustang Panda March 2022 Anomali MUSTANG PANDA October 2019 Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022 Secureworks BRONZE PRESIDENT December 2019 DOJ Affidavit Search and Seizure PlugX December 2024 EclecticIQ Mustang Panda PlugX ATTACKIQ MUSTANG PANDA TONESHELL March 2023 Crowdstrike MUSTANG PANDA June 2018 Palo Alto Networks, Unit 42 Sophos PlugX September 2022 Sophos Mustang Panda PLUGX Zscaler

🌍 Country China
📅 Activity 2023 — 2023
🎯 Incident Type Espionage
🧭 ATT&CK G0129
Civil society
2023
2023

Targeted Victims

United States Germany

Introduction

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. BlackBerry MUSTANG PANDA October 2022 Eset PlugX Korplug Mustang Panda March 2022 Anomali MUSTANG PANDA October 2019 Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022 Secureworks BRONZE PRESIDENT December 2019 DOJ Affidavit Search and Seizure PlugX December 2024 EclecticIQ Mustang Panda PlugX ATTACKIQ MUSTANG PANDA TONESHELL March 2023 Crowdstrike MUSTANG PANDA June 2018 Palo Alto Networks, Unit 42 Sophos PlugX September 2022 Sophos Mustang Panda PLUGX Zscaler

Activities and Tactics

Targeted Sectors: Civil society

Country of Origin: 🇨🇳 China

First Seen: 2023

Last Activity: 2023

Incident Type: Espionage

Suspected Victims: United States, Germany

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 2 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

Information pending cataloguing.

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

[1] MITRE ATT&CK MITRE ATT&CK entry [2] BlackBerry MUSTANG PANDA October 2022 [3] Eset PlugX Korplug Mustang Panda March 2022 [4] Anomali MUSTANG PANDA October 2019 [5] Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022 [6] Secureworks BRONZE PRESIDENT December 2019 [7] DOJ Affidavit Search and Seizure PlugX December 2024 [8] EclecticIQ Mustang Panda PlugX [9] ATTACKIQ MUSTANG PANDA TONESHELL March 2023 [10] Crowdstrike MUSTANG PANDA June 2018 [11] Palo Alto Networks, Unit 42 [12] Sophos PlugX September 2022 [13] Sophos Mustang Panda PLUGX [14] Zscaler