| SYMBOL | COMMON_NAME | aka. SYNONYMS |
This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.
| 2024-11-21
⋅
Hunt.io
⋅
DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure DOPLUGS |
| 2024-10-02
⋅
ESET Research
⋅
Separating the bee from the panda: CeranaKeeper making a beeline for Thailand PUBLOAD TONESHELL WavyExfiller CeranaKeeper |
| 2024-09-24
⋅
Trend Micro
⋅
Earth Preta Evolves its Attacks with New Malware and Strategies FDMTP |
| 2024-09-03
⋅
Hunt.io
⋅
ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit TONESHELL |
| 2024-08-23
⋅
TEAMT5
⋅
Sailing the Seven SEAs: Deep Dive into Polaris' Arsenal and Intelligence Insights Cobalt Strike Hodur PlugX TONESHELL |
| 2024-07-01
⋅
Speakerdeck (takahiro_haruyama)
⋅
The Art of Malware C2 Scanning - How to Reverse and Emulate Protocol Obfuscated by Compiler DOPLUGS Hodur |
| 2024-02-20
⋅
Trendmicro
⋅
Earth Preta Campaign Uses DOPLUGS to Target Asia DOPLUGS |
| 2024-01-23
⋅
CSIRT-CTI
⋅
Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks PlugX PUBLOAD TONESHELL |
| 2023-12-11
⋅
Lab52
⋅
Mustang Panda’s PlugX new variant targetting Taiwanese government and diplomats DOPLUGS |
| 2023-09-22
⋅
Palo Alto Networks Unit 42
⋅
Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda Cobalt Strike MimiKatz RemCom ShadowPad TONESHELL |
| 2023-09-07
⋅
Microsoft
⋅
Sophistication, scope, and scale: Digital threats from East Asia increase in breadth and effectiveness MUSTANG PANDA Raspberry Typhoon |
| 2023-09-07
⋅
Sekoia
⋅
My Tea’s not cold. An overview of China’s cyber threat Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL Dalbit MirrorFace |
| 2023-07-03
⋅
Check Point Research
⋅
Chinese Threat Actors Targeting Europe in SmugX Campaign DOPLUGS SmugX |
| 2023-03-02
⋅
ESET Research
⋅
MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT MQsTTang |
| 2023-02-15
⋅
Google
⋅
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla |
| 2023-01-26
⋅
TEAMT5
⋅
Brief History of MustangPanda and its PlugX Evolution PlugX MUSTANG PANDA |
| 2022-12-22
⋅
Recorded Future
⋅
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant DOPLUGS RedDelta |
| 2022-11-18
⋅
Trend Micro
⋅
Earth Preta Spear-Phishing Governments Worldwide PUBLOAD TONESHELL MUSTANG PANDA |
| 2022-04-28
⋅
DARKReading
⋅
Chinese APT Bronze President Mounts Spy Campaign on Russian Military PlugX MUSTANG PANDA |
| 2022-04-27
⋅
Secureworks
⋅
BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX DOPLUGS |
| 2022-03-23
⋅
ESET Research
⋅
Mustang Panda’s Hodur: Old tricks, new Korplug variant Hodur PlugX |
| 2022-03-07
⋅
Proofpoint
⋅
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates PlugX MUSTANG PANDA |
| 2021-02-28
⋅
PWC UK
⋅
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
| 2020-11-23
⋅
Proofpoint
⋅
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader PlugX MUSTANG PANDA |
| 2020-03-04
⋅
CrowdStrike
⋅
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
| 2020-03-03
⋅
PWC UK
⋅
Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA |
| 2019-01-01
⋅
Council on Foreign Relations
⋅
Mustang Panda MUSTANG PANDA |
| 2018-06-15
⋅
CrowdStrike
⋅
Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA MUSTANG PANDA |