SYMBOLCOMMON_NAMEaka. SYNONYMS

MUSTANG PANDA  (Back to overview)

aka: BRONZE PRESIDENT, HoneyMyte, Red Lich, TEMP.HEX, BASIN, Earth Preta

This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.


Associated Families
win.mqsttang win.toneshell

References
2023-09-07SekoiaJamila B.
@online{b:20230907:my:de66f96, author = {Jamila B.}, title = {{My Tea’s not cold. An overview of China’s cyber threat}}, date = {2023-09-07}, organization = {Sekoia}, url = {https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/}, language = {English}, urldate = {2023-09-08} } My Tea’s not cold. An overview of China’s cyber threat
Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL
2023-03-02ESET ResearchAlexandre Côté Cyr
@online{cyr:20230302:mqsttang:b7dee51, author = {Alexandre Côté Cyr}, title = {{MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT}}, date = {2023-03-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/}, language = {English}, urldate = {2023-03-13} } MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT
MQsTTang
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
@techreport{group:20230215:fog:0d99aaa, author = {Google Threat Analysis Group and Mandiant}, title = {{Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape}}, date = {2023-02-15}, institution = {Google}, url = {https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf}, language = {English}, urldate = {2023-03-13} } Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2022-11-18Trend MicroNick Dai, Vickie Su, Sunny Lu
@online{dai:20221118:earth:e3e474b, author = {Nick Dai and Vickie Su and Sunny Lu}, title = {{Earth Preta Spear-Phishing Governments Worldwide}}, date = {2022-11-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html}, language = {English}, urldate = {2023-08-03} } Earth Preta Spear-Phishing Governments Worldwide
TONESHELL Unidentified 094 MUSTANG PANDA
2022-04-28DARKReadingJai Vijayan
@online{vijayan:20220428:chinese:c4c2534, author = {Jai Vijayan}, title = {{Chinese APT Bronze President Mounts Spy Campaign on Russian Military}}, date = {2022-04-28}, organization = {DARKReading}, url = {https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military}, language = {English}, urldate = {2022-08-26} } Chinese APT Bronze President Mounts Spy Campaign on Russian Military
PlugX MUSTANG PANDA
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:1a5bdbb, author = {SecureWorks}, title = {{BRONZE PRESIDENT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-president}, language = {English}, urldate = {2020-05-23} } BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:mustang:09129d5, author = {Cyber Operations Tracker}, title = {{Mustang Panda}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/mustang-panda}, language = {English}, urldate = {2019-12-20} } Mustang Panda
MUSTANG PANDA
2018-06-15CrowdStrikeAdam Meyers
@online{meyers:20180615:meet:475521f, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA}}, date = {2018-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/}, language = {English}, urldate = {2019-12-20} } Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA
MUSTANG PANDA

Credits: MISP Project