SYMBOLCOMMON_NAMEaka. SYNONYMS

MUSTANG PANDA  (Back to overview)

aka: BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Polaris, Red Lich, Stately Taurus, TA416, TANTALUM, TEMP.HEX, Twill Typhoon

This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.


Associated Families
win.mqsttang win.hodur win.toneshell

References
2024-09-03Hunt.ioHunt.io
ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
TONESHELL
2024-08-23TEAMT5Still Hsu
Sailing the Seven SEAs: Deep Dive into Polaris' Arsenal and Intelligence Insights
Cobalt Strike Hodur PlugX TONESHELL
2024-07-01Speakerdeck (takahiro_haruyama)Takahiro Haruyama
The Art of Malware C2 Scanning - How to Reverse and Emulate Protocol Obfuscated by Compiler
DOPLUGS Hodur
2024-01-23CSIRT-CTICSIRT-CTI
Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks
PlugX TONESHELL Unidentified 094
2023-09-22Palo Alto Networks Unit 42Lior Rochberger, Robert Falcone, Tom Fakterman
Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
Cobalt Strike MimiKatz RemCom ShadowPad TONESHELL
2023-09-07MicrosoftMicrosoft Threat Analysis Center (MTAC)
Sophistication, scope, and scale: Digital threats from East Asia increase in breadth and effectiveness
MUSTANG PANDA Raspberry Typhoon
2023-09-07SekoiaJamila B.
My Tea’s not cold. An overview of China’s cyber threat
Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL Dalbit MirrorFace
2023-03-02ESET ResearchAlexandre Côté Cyr
MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT
MQsTTang
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2023-01-26TEAMT5Still Hsu
Brief History of MustangPanda and its PlugX Evolution
PlugX MUSTANG PANDA
2022-11-18Trend MicroNick Dai, Sunny Lu, Vickie Su
Earth Preta Spear-Phishing Governments Worldwide
TONESHELL Unidentified 094 MUSTANG PANDA
2022-04-28DARKReadingJai Vijayan
Chinese APT Bronze President Mounts Spy Campaign on Russian Military
PlugX MUSTANG PANDA
2022-03-23ESET ResearchAlexandre Côté Cyr
Mustang Panda’s Hodur: Old tricks, new Korplug variant
Hodur PlugX
2022-03-07ProofpointMichael Raggi, Myrtus 0x0
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates
PlugX MUSTANG PANDA
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-11-23ProofpointProofpoint Threat Research Team
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
PlugX MUSTANG PANDA
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-01-01SecureworksSecureWorks
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA
2019-01-01Council on Foreign RelationsCyber Operations Tracker
Mustang Panda
MUSTANG PANDA
2018-06-15CrowdStrikeAdam Meyers
Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA
MUSTANG PANDA

Credits: MISP Project