Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

EnterpriseG0129GroupObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Mustang Panda matters because ATT&CK describes a long-running China-based espionage group using tailored phishing and decoy documents, with relationships to credential theft, remote access, web shells, side-loading, keylogging, proxying, and removable-drive propagation tooling. For leaders, the value is not just knowing the name; it is testing whether email defenses, endpoint visibility, identity controls, and incident response playbooks can handle a phishing-led intrusion that may move from user execution to persistence, credential access, internal reconnaissance, and covert remote access.

Executive priority

Prioritize this as an espionage-readiness and resilience question for organizations with government, diplomatic, NGO, research, religious, think tank, or regionally relevant exposure across the United States, Europe, and Asia. Executives should ask whether the organization can prove control coverage for phishing delivery, Windows endpoint compromise, credential dumping, Active Directory discovery, web shell access, and post-compromise remote access. The associated campaign C0047, from mid-2023 through the end of 2024, reinforces the need for campaign-aware threat intelligence, user-reporting workflows, and evidence that SOC and IR teams can connect phishing, installer downloads, PlugX-like activity, and follow-on tooling into one investigation.

Technical view

ATT&CK provides no group-level platforms or official detection text, so defenders should validate from relationships. Most associated software is Windows-focused, including Mimikatz, PoisonIvy, PlugX, AdFind, Wevtutil, RCSession, BOOKWORM, StarProxy, PUBLOAD, HIUPAN, SplatDropper, PAKLOG, SplatCloak, CorKLOG, CLAIMLOADER, CANONSTAGER, STATICPLUGIN, and TONESHELL. Coverage should be tested across suspicious archive delivery, decoy-document execution chains, DLL side-loading, legitimate executable abuse, C2-capable RAT/backdoor behavior, credential dumping, AD enumeration, event log utility use, removable-drive propagation, web shell exposure, and proxying from an infected host to internal systems. Cross-platform relationships to Cobalt Strike, Impacket, and NBTscan mean network and authentication telemetry should not be limited to endpoint alerts alone.

Likely telemetry

  • Email security logs for tailored phishing, malicious attachments, links, archive files, and user click/download events.
  • Endpoint process, command-line, module load, DLL load, file creation, persistence, and security-tool tampering telemetry from Windows hosts.
  • Authentication and identity logs that can show credential dumping consequences, unusual logons, Kerberos/Windows protocol activity, and lateral access attempts.
  • Active Directory query telemetry, especially command-line use consistent with directory enumeration tools such as AdFind.
  • Network telemetry for outbound C2-like connections, internal scanning, SMB/NetBIOS activity, proxy behavior, and connections from servers that should not initiate external sessions.

Detection direction

  • Start with behavior chains rather than actor-name matching: phishing lure or archive delivery, user execution, side-loaded DLL or loader activity, persistence, host survey, C2, credential access, and internal reconnaissance.
  • Tune detections for legitimate binaries loading unexpected DLLs from user-writable or staging directories, including public user paths and archive-extracted locations, while accounting for software installers and administrative tools as false-positive sources.
  • Validate that Mimikatz-like credential access, Impacket-style protocol abuse, AdFind directory enumeration, NBTscan internal reconnaissance, and Wevtutil event log interaction are visible and triaged together when seen after suspicious email or download activity.
  • Correlate endpoint alerts with network evidence for PlugX, PoisonIvy, Cobalt Strike, ShadowPad, TONESHELL, PUBLOAD, CLAIMLOADER, and other associated RAT, stager, loader, and backdoor families without assuming any single malware name will be present.
  • Include server-side hunting for web shells because China Chopper is associated through relationships and may not look like a normal endpoint malware callback.

Mitigation priorities

  • Reduce phishing success first: strengthen secure email controls, attachment and archive handling, link inspection, user reporting, and rapid containment for suspected lure-driven compromise.
  • Harden Windows execution paths: restrict execution from user-writable directories, monitor or control DLL side-loading opportunities, and enforce application control where operationally feasible.
  • Protect identity: limit local administrator exposure, apply credential protection, monitor privileged account use, and ensure Active Directory query and authentication logs are retained for investigations.
  • Improve endpoint resilience: ensure EDR coverage and tamper protection are enabled where supported, and verify alerts for security-tool disablement behavior such as that described for SplatCloak.
  • Segment and monitor internal networks to limit proxying, lateral movement, and reconnaissance from a compromised workstation to sensitive systems.
Analyst notes and limits

This take is based on the supplied ATT&CK intrusion-set fields, external references, and relationships. The relationship set is rich and points to a Windows-heavy tooling ecosystem, phishing-led delivery, PlugX-related operations, credential and directory tooling, RATs/backdoors, web shell access, side-loading, keyloggers, removable-drive propagation, and proxy capability. For Glexia services, the practical use is to drive threat-informed validation: confirm whether controls and telemetry can reconstruct a full intrusion narrative, not merely alert on malware names.

ATT&CK provides no official detection guidance, no group-level platforms, and no group-level tactics for this object. Related software descriptions provide platform and behavior context, but local risk depends on geography, sector, exposed web infrastructure, email patterns, endpoint coverage, identity architecture, and retained telemetry. This summary does not assert current activity, customer targeting, guaranteed detection, or confirmed exposure beyond the supplied ATT&CK content.

Official MITRE ATT&CK definition

Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

65 rows
Domain ID Name Relationship / procedure
Enterprise T1016 System Network Configuration Discovery

Mustang Panda has used ipconfig and arp to determine network configuration information.CitationAvira Mustang Panda January 2020 Mustang Panda has also utilized SharpNBTScan to scan the victim environment.CitationUnit42 Chinese VSCode 06 September 2024
Enterprise T1608.001 Upload Malware Sub-technique

Mustang Panda has hosted malicious payloads on DropBox including PlugX.CitationProofpoint TA416 Europe March 2022
Enterprise T1583.006 Web Services Sub-technique

Mustang Panda has set up Dropbox and Google Drive to host malicious downloads.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload
Enterprise T1047 Windows Management Instrumentation

Mustang Panda has executed PowerShell scripts via WMI.CitationAnomali MUSTANG PANDA October 2019CitationSecureworks BRONZE PRESIDENT December 2019
Enterprise T1573.001 Symmetric Cryptography Sub-technique

Mustang Panda has encrypted C2 communications with RC4.CitationEset PlugX Korplug Mustang Panda March 2022CitationRecorded Future REDDELTA July 2020 Mustang Panda has also leveraged encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO.CitationUnit42 Bookworm Nov2015
Enterprise T1593 Search Open Websites/Domains

Mustang Panda has used open-source research to identify information about victims to use in targeting to include creating weaponized phishing lures and attachments.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA
Enterprise T1204.001 Malicious Link Sub-technique

Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationCrowdstrike MUSTANG PANDA June 2018Citation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationProofpoint TA416 Europe March 2022CitationMcAfee Dianxun March 2021 Mustang Panda has also utilized webpages with Javascript code that downloads malicious payloads to the victim device.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Enterprise T1046 Network Service Discovery

Mustang Panda has leveraged NBTscan to scan IP networks.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1140 Deobfuscate/Decode Files or Information

Mustang Panda has the ability to decrypt its payload prior to execution.CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationEclecticIQ Mustang Panda PlugXCitationPalo Alto Networks, Unit 42CitationSophos Mustang Panda PLUGX Mustang Panda has also utilized RC4 encryption for malicious payloads.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025CitationUnit42 Bookworm Nov2015
Enterprise T1049 System Network Connections Discovery

Mustang Panda has used netstat -ano to determine network connection information.CitationAvira Mustang Panda January 2020
Enterprise T1059.005 Visual Basic Sub-technique

Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.CitationAnomali MUSTANG PANDA October 2019CitationSecureworks BRONZE PRESIDENT December 2019CitationCrowdstrike MUSTANG PANDA June 2018 Mustang Panda has also used VBA macros in maldocs to execute malicious DLLs.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022 Mustang Panda also utilized a VBS Script “autorun.vbs” that created persistence through saving the VBS Script in the startup directory which would cause it to run each time the machine was turned on.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1219.001 IDE Tunneling Sub-technique

Mustang Panda has utilized an established Github account to create a tunnel within the victim environment using Visual Studio Code through the `code.exe tunnel` command.CitationUnit42 Chinese VSCode 06 September 2024
Enterprise T1567.002 Exfiltration to Cloud Storage Sub-technique

Mustang Panda has also exfiltrated archived files to cloud services such as Dropbox using `curl`.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023CitationUnit42 Chinese VSCode 06 September 2024
Enterprise T1053.005 Scheduled Task Sub-technique

Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.CitationAnomali MUSTANG PANDA October 2019CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationSecureworks BRONZE PRESIDENT December 2019CitationMcAfee Dianxun March 2021 Mustang Panda has also created a scheduled task that creates a reverse shell.CitationUnit42 Chinese VSCode 06 September 2024
Enterprise T1087.002 Domain Account Sub-technique

Mustang Panda has utilized AdFind to identify domain users.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1598.003 Spearphishing Link Sub-technique

Mustang Panda has delivered web bugs to profile their intended targets.CitationProofpoint TA416 Europe March 2022
Enterprise T1678 Delay Execution

Mustang Panda has delayed the execution of payloads leveraging ping echo requests `cmd /c ping 8.8.8.8 -n 70&&"%temp%\"`.CitationEset PlugX Korplug Mustang Panda March 2022CitationSophos PlugX September 2022
Enterprise T1564.001 Hidden Files and Directories Sub-technique

Mustang Panda's PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.CitationAvira Mustang Panda January 2020 Mustang Panda has also modified file attributes to `hidden` and `system`.CitationEset PlugX Korplug Mustang Panda March 2022
Enterprise T1218.005 Mshta Sub-technique

Mustang Panda has used mshta.exe to launch collection scripts.CitationSecureworks BRONZE PRESIDENT December 2019
Enterprise T1027.007 Dynamic API Resolution Sub-technique

Mustang Panda has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.CitationEset PlugX Korplug Mustang Panda March 2022
Enterprise T1585.002 Email Accounts Sub-technique

Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.CitationProofpoint TA416 Europe March 2022 Mustang Panda has also created fake Google accounts to distribute malware via spear-phishing emails.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload Mustang Panda has also created accounts for spearphishing operations including the use of services such as Proton Mail.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA
Enterprise T1219.002 Remote Desktop Software Sub-technique

Mustang Panda has installed TeamViewer on targeted systems.CitationSecureworks BRONZE PRESIDENT December 2019
Enterprise T1003 OS Credential Dumping

Mustang Panda utilized “Hdump” to dump credentials from memory.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1003.006 DCSync Sub-technique

Mustang Panda has leveraged Mimikatz DCSync feature to obtain user credentials.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1218.004 InstallUtil Sub-technique

Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.CitationAnomali MUSTANG PANDA October 2019
Enterprise T1586.002 Email Accounts Sub-technique

Mustang Panda has compromised legitimate email accounts to use in their spear-phishing operations.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload
Enterprise T1560.001 Archive via Utility Sub-technique

Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.CitationSecureworks BRONZE PRESIDENT December 2019CitationAvira Mustang Panda January 2020 Mustang Panda has used WinRAR “Rar.exe” to archive stolen files before exfiltration.CitationUnit42 Chinese VSCode 06 September 2024 Mustang Panda has also used TONESHELL and post-exploitation tools such as RemCom and Impacket to execute WinRAR `rar.exe` to archive files for exfiltration.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1070 Indicator Removal

Mustang Panda has deleted registry keys that store data and maintained persistence.CitationEset PlugX Korplug Mustang Panda March 2022
Enterprise T1071.001 Web Protocols Sub-technique

Mustang Panda has communicated with its C2 via HTTP POST requests.CitationAnomali MUSTANG PANDA October 2019CitationSecureworks BRONZE PRESIDENT December 2019CitationRecorded Future REDDELTA July 2020CitationUnit42 Bookworm Nov2015CitationMcAfee Dianxun March 2021
Enterprise T1018 Remote System Discovery

Mustang Panda has queried Active Directory for computers using AdFind.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023 Mustang Panda has also utilized SharpNBTScan to scan the victim environment.CitationUnit42 Chinese VSCode 06 September 2024
Enterprise T1069.002 Domain Groups Sub-technique

Mustang Panda has leveraged AdFind to enumerate domain groups.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1001.003 Protocol or Service Impersonation Sub-technique

Mustang Panda has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. Mustang Panda has used FakeTLS to communicate with its C2 servers.CitationZscaler
Enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique

Mustang Panda has used FTP to exfiltrate archive files.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1566.002 Spearphishing Link Sub-technique

Mustang Panda has delivered malicious links to their intended targets.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationMcAfee Dianxun March 2021 Mustang Panda has distributed spear-phishing emails with embedded links that direct the victim to a malicious archive hosted on Google or Dropbox.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload
Enterprise T1041 Exfiltration Over C2 Channel

Mustang Panda has exfiltrated stolen data and files to its C2 server.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationEclecticIQ Mustang Panda PlugXCitationSophos PlugX September 2022
Enterprise T1072 Software Deployment Tools

Mustang Panda has leveraged legitimate software tools such as AntiVirus Agents, Security Services, and App Development tools to execute scripts and to side-load dlls.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025
Enterprise T1557 Adversary-in-the-Middle

Mustang Panda leveraged a captive portal hijack that redirected the victim to a webpage that prompted the victim to download a malicious payload.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Enterprise T1505.003 Web Shell Sub-technique

Mustang Panda has used China Chopper web shells to maintain access to victims’ environments.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1176.002 IDE Extensions Sub-technique

Mustang Panda has leveraged Visual Studio Code’s (VSCode) embedded reverse shell feature using the command `code.exe tunnel` to execute code and deliver additional payloads.CitationUnit42 Chinese VSCode 06 September 2024
Enterprise T1588.003 Code Signing Certificates Sub-technique

Mustang Panda has used revoked code signing certificates for its malicious payloads.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025
Enterprise T1091 Replication Through Removable Media

Mustang Panda has used a customized PlugX variant which could spread through USB connections.CitationAvira Mustang Panda January 2020
Enterprise T1059.003 Windows Command Shell Sub-technique

Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.CitationAnomali MUSTANG PANDA October 2019CitationAvira Mustang Panda January 2020 Mustang Panda has also utilized cmd.exe to execute commands on an infected host such as `cmd.exe /c ping.exe 8.8.8.8 -n 70&&"%temp%\FontEDL.exe"`.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022
Enterprise T1052.001 Exfiltration over USB Sub-technique

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.CitationAvira Mustang Panda January 2020
Enterprise T1003.001 LSASS Memory Sub-technique

Mustang Panda has harvested credentials from memory of lssas.exe with Mimikatz.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1588.002 Tool Sub-technique

Mustang Panda has obtained and leveraged publicly-available tools for intrusion activities.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1588.004 Digital Certificates Sub-technique

Mustang Panda has obtained SSL certificates for their C2 domains.CitationEclecticIQ Mustang Panda PlugXCitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Enterprise T1560.003 Archive via Custom Method Sub-technique

Mustang Panda has encrypted documents with RC4 prior to exfiltration.CitationAvira Mustang Panda January 2020
Enterprise T1070.004 File Deletion Sub-technique

Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.CitationSecureworks BRONZE PRESIDENT December 2019CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025
Enterprise T1129 Shared Modules

Mustang Panda has leveraged `LoadLibrary` to load DLLs.CitationEset PlugX Korplug Mustang Panda March 2022
Enterprise T1057 Process Discovery

Mustang Panda has used tasklist /v to determine active process information.CitationAvira Mustang Panda January 2020 Mustang Panda has also used TONESHELL malware to check the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload
Enterprise T1082 System Information Discovery

Mustang Panda has gathered system information using systeminfo.CitationAvira Mustang Panda January 2020
Enterprise T1095 Non-Application Layer Protocol

Mustang Panda has utilized TCP-based reverse shells using cmd.exe.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022
Enterprise T1203 Exploitation for Client Execution

Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.CitationCrowdstrike MUSTANG PANDA June 2018
Enterprise T1574.005 Executable Installer File Permissions Weakness Sub-technique

Mustang Panda has leveraged legitimate software installer executables such as Setup Factory “IRSetup.exe” to drop and execute their payload.CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025
Enterprise T1608 Stage Capabilities

Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.CitationProofpoint TA416 Europe March 2022
Enterprise T1622 Debugger Evasion

Mustang Panda has embedded debug strings with messages to distract analysts.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload Mustang Panda has also made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger.CitationSophos Mustang Panda PLUGX
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Mustang Panda has used spearphishing attachments to deliver initial access payloads.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationGoogle TAG Ukraine Threat Landscape March 2022CitationRecorded Future REDDELTA July 2020CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024CitationProofpoint TA416 November 2020 Mustang Panda has also delivered archive files such as RAR and ZIP files containing legitimate EXEs and malicious DLLs.CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA
Enterprise T1654 Log Enumeration

Mustang Panda has used Wevtutil to gather Windows Security Event Logs.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1083 File and Directory Discovery

Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.CitationAvira Mustang Panda January 2020CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Enterprise T1518 Software Discovery

Mustang Panda has searched the victim system for the InstallUtil.exe program and its version.CitationAnomali MUSTANG PANDA October 2019
Enterprise T1583.001 Domains Sub-technique

Mustang Panda has acquired C2 domains prior to operations.CitationSecureworks BRONZE PRESIDENT December 2019CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationRecorded Future REDDELTA July 2020CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025CitationUnit42 Bookworm Nov2015CitationPalo Alto Networks, Unit 42CitationMcAfee Dianxun March 2021
Enterprise T1574.001 DLL Sub-technique

Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.CitationEset PlugX Korplug Mustang Panda March 2022CitationAnomali MUSTANG PANDA October 2019CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationBroadcomCitationEclecticIQ Mustang Panda PlugXCitationRecorded Future REDDELTA July 2020CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025Citation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationProofpoint TA416 November 2020CitationUnit42 Bookworm Nov2015CitationSophos PlugX September 2022CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025CitationZscaler Mustang Panda has abused legitimate executables to side-load malicious DLLs.CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Enterprise T1546.003 Windows Management Instrumentation Event Subscription Sub-technique

Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.CitationSecureworks BRONZE PRESIDENT December 2019
Enterprise T1106 Native API

Mustang Panda has used various Windows API calls during execution and defense evasion.CitationEset PlugX Korplug Mustang Panda March 2022CitationBroadcomCitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025Citation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025CitationPalo Alto Networks, Unit 42CitationSophos Mustang Panda PLUGXCitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025CitationZscaler
Enterprise T1003.003 NTDS Sub-technique

Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.CitationSecureworks BRONZE PRESIDENT December 2019CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Associated objects

Groups, software, and campaigns

Malware Enterprise

S1237: CANONSTAGER

CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.[1]

Windows
Malware Enterprise

S0596: ShadowPad

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. [1][2][3]

Windows
Malware Enterprise

S0154: Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]

LinuxmacOSWindows
Tool Enterprise

S0357: Impacket

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[1]

LinuxmacOSWindows
Malware Enterprise

S1233: PAKLOG

PAKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. PAKLOG is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious PAKLOG DLL (pa_lang2.dll). The PACLOUD.exe binary is used to side-load the PAKLOG DLL which starts with the keylogger functionality.[1]

Windows
Tool Enterprise

S0645: Wevtutil

Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.[1]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Malware S1237: CANONSTAGER Enterprise uses · Technique T1608.001: Upload Malware Enterprise uses · Technique T1583.006: Web Services Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1593: Search Open Websites/Domains Enterprise uses · Malware S1238: STATICPLUGIN Enterprise uses · Technique T1204.001: Malicious Link Enterprise uses · Technique T1046: Network Service Discovery Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1049: System Network Connections Discovery Enterprise uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1219.001: IDE Tunneling Enterprise uses · Technique T1567.002: Exfiltration to Cloud Storage Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1087.002: Domain Account Enterprise uses · Malware S0596: ShadowPad Enterprise uses · Technique T1598.003: Spearphishing Link Enterprise uses · Technique T1678: Delay Execution Enterprise uses · Technique T1564.001: Hidden Files and Directories Enterprise uses · Technique T1218.005: Mshta Enterprise uses · Technique T1027.007: Dynamic API Resolution Enterprise uses · Technique T1585.002: Email Accounts Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
a7e7c14cde3304f3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle a7e7c14cde33…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    BlackBerry MUSTANG PANDA October 2022

    The BlackBerry Research and Intelligence Team. (2022, October 6). Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims. Retrieved October 14, 2025.

    Open source URL
  2. [2]
    Eset PlugX Korplug Mustang Panda March 2022

    Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025.

    Open source URL
  3. [3]
    Anomali MUSTANG PANDA October 2019

    Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.

    Open source URL
  4. [4]
    Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022

    Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025.

    Open source URL
  5. [5]
    Secureworks BRONZE PRESIDENT December 2019

    Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.

    Open source URL
  6. [6]
    DOJ Affidavit Search and Seizure PlugX December 2024

    DOJ. (2024, December 20). Mag. No. 24-mj-1387 AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A NINTH SEARCH AND SEIZURE WARRANT- IN THE MATTER OF THE SEARCH AND SEIZURE OF COMPUTERS IN THE UNITED STATES INFECTED WITH PLUGX MALWARE . Retrieved September 9, 2025.

    Open source URL
  7. [7]
    EclecticIQ Mustang Panda PlugX

    EclecticIQ Threat Research Team. (2023, February 2). Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware. Retrieved September 9, 2025.

    Open source URL
  8. [8]
    ATTACKIQ MUSTANG PANDA TONESHELL March 2023

    Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025.

    Open source URL
  9. [9]
    Crowdstrike MUSTANG PANDA June 2018

    Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.

    Open source URL
  10. [10]
    Palo Alto Networks, Unit 42

    Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025.

    Open source URL
  11. [11]
    Sophos PlugX September 2022

    Secureworks Counter Threat Unit Research Team. (2022, April 27). BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX. Retrieved September 9, 2025.

    Open source URL
  12. [12]
    Sophos Mustang Panda PLUGX

    Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025.

    Open source URL
  13. [13]
    Zscaler

    Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025.

    Open source URL
  14. [14]
    2022 November_TrendMicro_Earth Preta_Toneshell_Pubload

    Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.

    Open source URL
  15. [15]
    2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA

    Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.

    Open source URL
  16. [16]
    BRONZE PRESIDENT

    (Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)

  17. [17]
    Broadcom

    Broadcom Protection Bulletins. (2025, February 20). Bookworm malware linked to Fireant (aka Stately Tarurus) activity observed in Southeast Asia. Retrieved July 21, 2025.

    Open source URL
  18. [18]
    CAMARO DRAGON

    (Citation: HorseShell)

  19. [19]
    CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024

    CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025.

    Open source URL
  20. [20]
    Cloudflare 2026 Threat Report New Threat Actors March 2026

    Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.

    Open source URL
  21. [21]
    ClumsyToad

    (Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)

  22. [22]
    EARTH PRETA

    (Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: Trend Micro Mustang Panda Earth Preta TONESHELL June 2023)

  23. [23]
    FIREANT

    (Citation: Broadcom)

  24. [24]
    Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025

    Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025.

    Open source URL
  25. [25]
    HIVE0154

    (Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)

  26. [26]
    HorseShell

    Cohen, Itay. Madej, Radoslaw. Threat Intelligence Team. (2023, May 16). THE DRAGON WHO SOLD HIS CAMARO: ANALYZING CUSTOM ROUTER IMPLANT. Retrieved December 26, 2023.

    Open source URL
  27. [27]
    IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025

    Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025.

    Open source URL
  28. [28]
    LUMINOUS MOTH

    (Citation: Microsoft Naming Conventions Frequently Updated)

  29. [29]
    Microsoft Naming Conventions Frequently Updated

    Microsoft. (2025, September 8). How Microsoft names threat actors. Retrieved September 10, 2025.

    Open source URL
  30. [30]
    Mustang Panda

    (Citation: Crowdstrike MUSTANG PANDA June 2018)

  31. [31]
    PWC UK MUSTANG PANDA RED LICH February 2021

    PWC UK. (2021, February 28). Cyber Threats 2020: A Year in Retrospect. Retrieved October 15, 2025.

    Open source URL
  32. [32]
    Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023

    Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.

    Open source URL
  33. [33]
    Proofpoint TA416 Europe March 2022

    Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.

    Open source URL
  34. [34]
    Proofpoint TA416 November 2020

    Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.

    Open source URL
  35. [35]
    Recorded Future REDDELTA July 2020

    Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.

    Open source URL
  36. [36]
    Red Lich

    (Citation: PWC UK MUSTANG PANDA RED LICH February 2021)

  37. [37]
    RedDelta

    (Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 Europe March 2022)

  38. [38]
    STATELY TAURUS

    (Citation: Palo Alto Networks, Unit 42)(Citation: Unit42 Bookworm Nov2015)(Citation: Unit42 Chinese VSCode 06 September 2024)(Citation: Broadcom)(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)

  39. [39]
    TA416

    (Citation: Proofpoint TA416 November 2020)

  40. [40]
    TANTALUM

    (Citation: Microsoft Naming Conventions Frequently Updated)

  41. [41]
    TEMP.Hex

    (Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)

  42. [42]
    TWILL TYPHOON

    (Citation: Microsoft Naming Conventions Frequently Updated)

  43. [43]
    Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024

    Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.

    Open source URL
  44. [44]
    Trend Micro Mustang Panda Earth Preta TONESHELL June 2023

    Sunny Lu, Vickie Su, Nick Dai. (2023, June 14). Behind the Scenes: Unveiling the Hidden Workings of Earth Preta. Retrieved September 10, 2025.

    Open source URL
  45. [45]
    Trend Micro Mustang Panda Earth Preta Toneshell February 2025

    Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025.

    Open source URL
  46. [46]
    UNC6384

    (Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)

  47. [47]
    Unit42 Bookworm Nov2015

    Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025.

    Open source URL
  48. [48]
    Unit42 Chinese VSCode 06 September 2024

    Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025.

    Open source URL
  49. [49]
    mitre-attack G0129
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use