🏎️

Mustang Panda

Aliases

BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Polaris, Red Lich, Stately Taurus, TA416, TANTALUM, TEMP.HEX, Twill Typhoon

Tags

State-Sponsored

Attribution

🇨🇳

Incidents

Earth Preta’s Campaign Abusing MAVInject to Bypass Detection

References

https://malpedia.caad.fkie.fraunhofer.de/actor/mustang_pandahttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/https://blog.talosintelligence.com/mustang-panda-targets-europe/

Last edited

Feb 19, 2025 9:35 AM

Status

Finalized

Cloud-fluent

Targeted geography

United States/North AmericaEuropeSoutheast Asia

Targeted industries

GovernmentNon-governmental organizations (NGOs)Telecommunication

Mustang Panda, also known as Bronze President, RedDelta, and TA416, is a China-based cyber espionage group active since at least 2012. The group primarily targets government entities, non-governmental organizations (NGOs), and religious organizations across the United States, Europe, and Asia. Their operations are characterized by well-crafted spear-phishing campaigns that often employ lures themed around current geopolitical events to entice victims into executing malicious payloads.

A hallmark of Mustang Panda's methodology is the use of malware such as the PlugX remote access trojan (RAT), which facilitates persistent access, data exfiltration, and the deployment of additional malicious tools. The group has also developed custom malware strains, including TONESHELL and PUBLOAD, to enhance their espionage capabilities. Notably, they have employed DLL side-loading techniques to execute these payloads stealthily, thereby evading detection mechanisms.

Over the years, Mustang Panda has demonstrated adaptability by refining their toolset and tactics. They have expanded their targeting scope to include entities involved in international summits and political affairs, reflecting a strategic interest in gathering intelligence that aligns with China's geopolitical objectives.