BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Polaris, Red Lich, Stately Taurus, TA416, TANTALUM, TEMP.HEX, Twill Typhoon
Mustang Panda, also known as Bronze President, RedDelta, and TA416, is a China-based cyber espionage group active since at least 2012. The group primarily targets government entities, non-governmental organizations (NGOs), and religious organizations across the United States, Europe, and Asia. Their operations are characterized by well-crafted spear-phishing campaigns that often employ lures themed around current geopolitical events to entice victims into executing malicious payloads.
A hallmark of Mustang Panda's methodology is the use of malware such as the PlugX remote access trojan (RAT), which facilitates persistent access, data exfiltration, and the deployment of additional malicious tools. The group has also developed custom malware strains, including TONESHELL and PUBLOAD, to enhance their espionage capabilities. Notably, they have employed DLL side-loading techniques to execute these payloads stealthily, thereby evading detection mechanisms.
Over the years, Mustang Panda has demonstrated adaptability by refining their toolset and tactics. They have expanded their targeting scope to include entities involved in international summits and political affairs, reflecting a strategic interest in gathering intelligence that aligns with China's geopolitical objectives.