G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
Analyst context for executives and security teams
Mustang Panda matters because ATT&CK describes a long-running China-based espionage group using tailored phishing and decoy documents, with relationships to credential theft, remote access, web shells, side-loading, keylogging, proxying, and removable-drive propagation tooling. For leaders, the value is not just knowing the name; it is testing whether email defenses, endpoint visibility, identity controls, and incident response playbooks can handle a phishing-led intrusion that may move from user execution to persistence, credential access, internal reconnaissance, and covert remote access.
Executive priority
Prioritize this as an espionage-readiness and resilience question for organizations with government, diplomatic, NGO, research, religious, think tank, or regionally relevant exposure across the United States, Europe, and Asia. Executives should ask whether the organization can prove control coverage for phishing delivery, Windows endpoint compromise, credential dumping, Active Directory discovery, web shell access, and post-compromise remote access. The associated campaign C0047, from mid-2023 through the end of 2024, reinforces the need for campaign-aware threat intelligence, user-reporting workflows, and evidence that SOC and IR teams can connect phishing, installer downloads, PlugX-like activity, and follow-on tooling into one investigation.
Technical view
ATT&CK provides no group-level platforms or official detection text, so defenders should validate from relationships. Most associated software is Windows-focused, including Mimikatz, PoisonIvy, PlugX, AdFind, Wevtutil, RCSession, BOOKWORM, StarProxy, PUBLOAD, HIUPAN, SplatDropper, PAKLOG, SplatCloak, CorKLOG, CLAIMLOADER, CANONSTAGER, STATICPLUGIN, and TONESHELL. Coverage should be tested across suspicious archive delivery, decoy-document execution chains, DLL side-loading, legitimate executable abuse, C2-capable RAT/backdoor behavior, credential dumping, AD enumeration, event log utility use, removable-drive propagation, web shell exposure, and proxying from an infected host to internal systems. Cross-platform relationships to Cobalt Strike, Impacket, and NBTscan mean network and authentication telemetry should not be limited to endpoint alerts alone.
Likely telemetry
- Email security logs for tailored phishing, malicious attachments, links, archive files, and user click/download events.
- Endpoint process, command-line, module load, DLL load, file creation, persistence, and security-tool tampering telemetry from Windows hosts.
- Authentication and identity logs that can show credential dumping consequences, unusual logons, Kerberos/Windows protocol activity, and lateral access attempts.
- Active Directory query telemetry, especially command-line use consistent with directory enumeration tools such as AdFind.
- Network telemetry for outbound C2-like connections, internal scanning, SMB/NetBIOS activity, proxy behavior, and connections from servers that should not initiate external sessions.
Detection direction
- Start with behavior chains rather than actor-name matching: phishing lure or archive delivery, user execution, side-loaded DLL or loader activity, persistence, host survey, C2, credential access, and internal reconnaissance.
- Tune detections for legitimate binaries loading unexpected DLLs from user-writable or staging directories, including public user paths and archive-extracted locations, while accounting for software installers and administrative tools as false-positive sources.
- Validate that Mimikatz-like credential access, Impacket-style protocol abuse, AdFind directory enumeration, NBTscan internal reconnaissance, and Wevtutil event log interaction are visible and triaged together when seen after suspicious email or download activity.
- Correlate endpoint alerts with network evidence for PlugX, PoisonIvy, Cobalt Strike, ShadowPad, TONESHELL, PUBLOAD, CLAIMLOADER, and other associated RAT, stager, loader, and backdoor families without assuming any single malware name will be present.
- Include server-side hunting for web shells because China Chopper is associated through relationships and may not look like a normal endpoint malware callback.
Mitigation priorities
- Reduce phishing success first: strengthen secure email controls, attachment and archive handling, link inspection, user reporting, and rapid containment for suspected lure-driven compromise.
- Harden Windows execution paths: restrict execution from user-writable directories, monitor or control DLL side-loading opportunities, and enforce application control where operationally feasible.
- Protect identity: limit local administrator exposure, apply credential protection, monitor privileged account use, and ensure Active Directory query and authentication logs are retained for investigations.
- Improve endpoint resilience: ensure EDR coverage and tamper protection are enabled where supported, and verify alerts for security-tool disablement behavior such as that described for SplatCloak.
- Segment and monitor internal networks to limit proxying, lateral movement, and reconnaissance from a compromised workstation to sensitive systems.
Analyst notes and limits
This take is based on the supplied ATT&CK intrusion-set fields, external references, and relationships. The relationship set is rich and points to a Windows-heavy tooling ecosystem, phishing-led delivery, PlugX-related operations, credential and directory tooling, RATs/backdoors, web shell access, side-loading, keyloggers, removable-drive propagation, and proxy capability. For Glexia services, the practical use is to drive threat-informed validation: confirm whether controls and telemetry can reconstruct a full intrusion narrative, not merely alert on malware names.
ATT&CK provides no official detection guidance, no group-level platforms, and no group-level tactics for this object. Related software descriptions provide platform and behavior context, but local risk depends on geography, sector, exposed web infrastructure, email patterns, endpoint coverage, identity architecture, and retained telemetry. This summary does not assert current activity, customer targeting, guaranteed detection, or confirmed exposure beyond the supplied ATT&CK content.
Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | Mustang Panda has used |
| Enterprise | T1608.001 | Upload Malware Sub-technique | Mustang Panda has hosted malicious payloads on DropBox including PlugX.[16] |
| Enterprise | T1583.006 | Web Services Sub-technique | Mustang Panda has set up Dropbox and Google Drive to host malicious downloads.[17] |
| Enterprise | T1047 | Windows Management Instrumentation | Mustang Panda has executed PowerShell scripts via WMI.[3][5] |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Mustang Panda has encrypted C2 communications with RC4.[2][18] Mustang Panda has also leveraged encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO.[19] |
| Enterprise | T1593 | Search Open Websites/Domains | Mustang Panda has used open-source research to identify information about victims to use in targeting to include creating weaponized phishing lures and attachments.[20][21] |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.[20][21][9][17][16]CitationMcAfee Dianxun March 2021 Mustang Panda has also utilized webpages with Javascript code that downloads malicious payloads to the victim device.[15] |
| Enterprise | T1046 | Network Service Discovery | Mustang Panda has leveraged NBTscan to scan IP networks.[22] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Mustang Panda has the ability to decrypt its payload prior to execution.CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023[7][10][12] Mustang Panda has also utilized RC4 encryption for malicious payloads.[15][19] |
| Enterprise | T1049 | System Network Connections Discovery | Mustang Panda has used |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.[3][5][9] Mustang Panda has also used VBA macros in maldocs to execute malicious DLLs.[4] Mustang Panda also utilized a VBS Script “autorun.vbs” that created persistence through saving the VBS Script in the startup directory which would cause it to run each time the machine was turned on.[22] |
| Enterprise | T1219.001 | IDE Tunneling Sub-technique | Mustang Panda has utilized an established Github account to create a tunnel within the victim environment using Visual Studio Code through the `code.exe tunnel` command.[14] |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Mustang Panda has also exfiltrated archived files to cloud services such as Dropbox using `curl`.[22][14] |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.[3][4][5]CitationMcAfee Dianxun March 2021 Mustang Panda has also created a scheduled task that creates a reverse shell.[14] |
| Enterprise | T1087.002 | Domain Account Sub-technique | Mustang Panda has utilized AdFind to identify domain users.[22] |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Mustang Panda has delivered web bugs to profile their intended targets.[16] |
| Enterprise | T1678 | Delay Execution | Mustang Panda has delayed the execution of payloads leveraging ping echo requests `cmd /c ping 8.8.8.8 -n 70&&"%temp%\ |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Mustang Panda's PlugX variant has created a hidden folder on USB drives named |
| Enterprise | T1218.005 | Mshta Sub-technique | Mustang Panda has used mshta.exe to launch collection scripts.[5] |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | Mustang Panda has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.[2] |
| Enterprise | T1585.002 | Email Accounts Sub-technique | Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.[16] Mustang Panda has also created fake Google accounts to distribute malware via spear-phishing emails.[17] Mustang Panda has also created accounts for spearphishing operations including the use of services such as Proton Mail.[20][21] |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | Mustang Panda has installed TeamViewer on targeted systems.[5] |
| Enterprise | T1003 | OS Credential Dumping | Mustang Panda utilized “Hdump” to dump credentials from memory.[22] |
| Enterprise | T1003.006 | DCSync Sub-technique | Mustang Panda has leveraged Mimikatz DCSync feature to obtain user credentials.[22] |
| Enterprise | T1218.004 | InstallUtil Sub-technique | Mustang Panda has used |
| Enterprise | T1586.002 | Email Accounts Sub-technique | Mustang Panda has compromised legitimate email accounts to use in their spear-phishing operations.[17] |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.[5]CitationAvira Mustang Panda January 2020 Mustang Panda has used WinRAR “Rar.exe” to archive stolen files before exfiltration.[14] Mustang Panda has also used TONESHELL and post-exploitation tools such as RemCom and Impacket to execute WinRAR `rar.exe` to archive files for exfiltration.[22] |
| Enterprise | T1070 | Indicator Removal | Mustang Panda has deleted registry keys that store data and maintained persistence.[2] |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Mustang Panda has communicated with its C2 via HTTP POST requests.[3][5][18][19]CitationMcAfee Dianxun March 2021 |
| Enterprise | T1018 | Remote System Discovery | Mustang Panda has queried Active Directory for computers using AdFind.[22] Mustang Panda has also utilized SharpNBTScan to scan the victim environment.[14] |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Mustang Panda has leveraged AdFind to enumerate domain groups.[22] |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | Mustang Panda has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. Mustang Panda has used FakeTLS to communicate with its C2 servers.[13] |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Mustang Panda has used FTP to exfiltrate archive files.[22] |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Mustang Panda has delivered malicious links to their intended targets.[20][21]CitationMcAfee Dianxun March 2021 Mustang Panda has distributed spear-phishing emails with embedded links that direct the victim to a malicious archive hosted on Google or Dropbox.[17] |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Mustang Panda has exfiltrated stolen data and files to its C2 server.[4][7][11] |
| Enterprise | T1072 | Software Deployment Tools | Mustang Panda has leveraged legitimate software tools such as AntiVirus Agents, Security Services, and App Development tools to execute scripts and to side-load dlls.[22][24] |
| Enterprise | T1557 | Adversary-in-the-Middle | Mustang Panda leveraged a captive portal hijack that redirected the victim to a webpage that prompted the victim to download a malicious payload.[15] |
| Enterprise | T1505.003 | Web Shell Sub-technique | Mustang Panda has used China Chopper web shells to maintain access to victims’ environments.[22] |
| Enterprise | T1176.002 | IDE Extensions Sub-technique | Mustang Panda has leveraged Visual Studio Code’s (VSCode) embedded reverse shell feature using the command `code.exe tunnel` to execute code and deliver additional payloads.[14] |
| Enterprise | T1588.003 | Code Signing Certificates Sub-technique | Mustang Panda has used revoked code signing certificates for its malicious payloads.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1091 | Replication Through Removable Media | Mustang Panda has used a customized PlugX variant which could spread through USB connections.CitationAvira Mustang Panda January 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[3]CitationAvira Mustang Panda January 2020 Mustang Panda has also utilized cmd.exe to execute commands on an infected host such as `cmd.exe /c ping.exe 8.8.8.8 -n 70&&"%temp%\FontEDL.exe"`.[4] |
| Enterprise | T1052.001 | Exfiltration over USB Sub-technique | Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.CitationAvira Mustang Panda January 2020 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Mustang Panda has harvested credentials from memory of lssas.exe with Mimikatz.[22] |
| Enterprise | T1588.002 | Tool Sub-technique | Mustang Panda has obtained and leveraged publicly-available tools for intrusion activities.[4][22] |
| Enterprise | T1588.004 | Digital Certificates Sub-technique | Mustang Panda has obtained SSL certificates for their C2 domains.[7][15] |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Mustang Panda has encrypted documents with RC4 prior to exfiltration.CitationAvira Mustang Panda January 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[5]CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1129 | Shared Modules | Mustang Panda has leveraged `LoadLibrary` to load DLLs.[2] |
| Enterprise | T1057 | Process Discovery | Mustang Panda has used |
| Enterprise | T1082 | System Information Discovery | Mustang Panda has gathered system information using |
| Enterprise | T1095 | Non-Application Layer Protocol | Mustang Panda has utilized TCP-based reverse shells using cmd.exe.[4] |
| Enterprise | T1203 | Exploitation for Client Execution | Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.[9] |
| Enterprise | T1574.005 | Executable Installer File Permissions Weakness Sub-technique | Mustang Panda has leveraged legitimate software installer executables such as Setup Factory “IRSetup.exe” to drop and execute their payload.[24] |
| Enterprise | T1608 | Stage Capabilities | Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.[16] |
| Enterprise | T1622 | Debugger Evasion | Mustang Panda has embedded debug strings with messages to distract analysts.[17] Mustang Panda has also made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger.[12] |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Mustang Panda has used spearphishing attachments to deliver initial access payloads.[4][23]CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023[20][21]CitationGoogle TAG Ukraine Threat Landscape March 2022[18][26][27] Mustang Panda has also delivered archive files such as RAR and ZIP files containing legitimate EXEs and malicious DLLs.CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023[20][21] |
| Enterprise | T1654 | Log Enumeration | Mustang Panda has used Wevtutil to gather Windows Security Event Logs.[22] |
| Enterprise | T1083 | File and Directory Discovery | Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.CitationAvira Mustang Panda January 2020[22] |
| Enterprise | T1518 | Software Discovery | Mustang Panda has searched the victim system for the |
| Enterprise | T1583.001 | Domains Sub-technique | |
| Enterprise | T1574.001 | DLL Sub-technique | Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[2][3][4][28][7][18][22][24][17][27][19][11]CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025[13] Mustang Panda has abused legitimate executables to side-load malicious DLLs.[23]CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023[20][21][15] |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.[5] |
| Enterprise | T1106 | Native API | |
| Enterprise | T1003.003 | NTDS Sub-technique | Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used |
Groups, software, and campaigns
S1237: CANONSTAGER
CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.[1]
S1238: STATICPLUGIN
STATICPLUGIN is a downloader known to be leveraged by Mustang Panda and was first observed utilized in 2025. STATICPLUGIN has utilized a valid certificate in order to bypass endpoint security protections. STATICPLUGIN masqueraded as legitimate software installer by using a custom TForm. STATICPLUGIN has been leveraged to deploy a loader that facilitates follow on malware.[1]
S0596: ShadowPad
S1239: TONESHELL
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S1230: HIUPAN
HIUPAN (aka U2DiskWatch) is a is a worm that propagates through removable drives known to be leveraged by Mustang Panda and was first observed utilized in 2024. [1][2]
S0357: Impacket
S1234: SplatCloak
SplatCloak is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to aid in evading detection. SplatCloak has been deployed by SplatDropper and is known to be leveraged by Mustang Panda since 2025.[1]
S1233: PAKLOG
PAKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. PAKLOG is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious PAKLOG DLL (pa_lang2.dll). The PACLOUD.exe binary is used to side-load the PAKLOG DLL which starts with the keylogger functionality.[1]
S0645: Wevtutil
S0552: AdFind
S1236: CLAIMLOADER
CLAIMLOADER is a malware variant that frequently accompanies legitimate executables that are used for DLL side-loading known to be leveraged by Mustang Panda and was first observed utilized in 2021.[1][2]
C0047: RedDelta Modified PlugX Infection Chain Operations
RedDelta Modified PlugX Infection Chain Operations was executed by Mustang Panda from mid-2023 through the end of 2024 against multiple entities in East and Southeast Asia. RedDelta Modified PlugX Infection Chain Operations involved phishing to deliver malicious files or links to users prompting follow-on installer downloads to load PlugX on victim machines in a persistent state.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | a7e7c14cde33… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BlackBerry MUSTANG PANDA October 2022
The BlackBerry Research and Intelligence Team. (2022, October 6). Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims. Retrieved October 14, 2025.
Open source URL -
[2]
Eset PlugX Korplug Mustang Panda March 2022
Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025.
Open source URL -
[3]
Anomali MUSTANG PANDA October 2019
Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
Open source URL -
[4]
Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022
Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025.
Open source URL -
[5]
Secureworks BRONZE PRESIDENT December 2019
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
Open source URL -
[6]
DOJ Affidavit Search and Seizure PlugX December 2024
DOJ. (2024, December 20). Mag. No. 24-mj-1387 AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A NINTH SEARCH AND SEIZURE WARRANT- IN THE MATTER OF THE SEARCH AND SEIZURE OF COMPUTERS IN THE UNITED STATES INFECTED WITH PLUGX MALWARE . Retrieved September 9, 2025.
Open source URL -
[7]
EclecticIQ Mustang Panda PlugX
EclecticIQ Threat Research Team. (2023, February 2). Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware. Retrieved September 9, 2025.
Open source URL -
[8]
ATTACKIQ MUSTANG PANDA TONESHELL March 2023
Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025.
Open source URL -
[9]
Crowdstrike MUSTANG PANDA June 2018
Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
Open source URL -
[10]
Palo Alto Networks, Unit 42
Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025.
Open source URL -
[11]
Sophos PlugX September 2022
Secureworks Counter Threat Unit Research Team. (2022, April 27). BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX. Retrieved September 9, 2025.
Open source URL -
[12]
Sophos Mustang Panda PLUGX
Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025.
Open source URL -
[13]
Zscaler
Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025.
Open source URL -
[14]
Unit42 Chinese VSCode 06 September 2024
Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025.
Open source URL -
[15]
Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025.
Open source URL -
[16]
Proofpoint TA416 Europe March 2022
Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
Open source URL -
[17]
2022 November_TrendMicro_Earth Preta_Toneshell_Pubload
Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.
Open source URL -
[18]
Recorded Future REDDELTA July 2020
Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
Open source URL -
[19]
Unit42 Bookworm Nov2015
Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025.
Open source URL -
[20]
IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025
Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025.
Open source URL -
[21]
2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA
Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
Open source URL -
[22]
Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.
Open source URL -
[23]
CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024
CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025.
Open source URL -
[24]
Trend Micro Mustang Panda Earth Preta Toneshell February 2025
Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025.
Open source URL -
[25]
Trend Micro Mustang Panda Earth Preta TONESHELL June 2023
Sunny Lu, Vickie Su, Nick Dai. (2023, June 14). Behind the Scenes: Unveiling the Hidden Workings of Earth Preta. Retrieved September 10, 2025.
Open source URL -
[26]
Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024
Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.
Open source URL -
[27]
Proofpoint TA416 November 2020
Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
Open source URL -
[28]
Broadcom
Broadcom Protection Bulletins. (2025, February 20). Bookworm malware linked to Fireant (aka Stately Tarurus) activity observed in Southeast Asia. Retrieved July 21, 2025.
Open source URL -
[29]
BRONZE PRESIDENT
(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)
-
[30]
CAMARO DRAGON
(Citation: HorseShell)
-
[31]
Cloudflare 2026 Threat Report New Threat Actors March 2026
Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.
Open source URL -
[32]
ClumsyToad
(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)
-
[33]
EARTH PRETA
(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: Trend Micro Mustang Panda Earth Preta TONESHELL June 2023)
-
[34]
FIREANT
(Citation: Broadcom)
-
[35]
HIVE0154
(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)
-
[36]
HorseShell
Cohen, Itay. Madej, Radoslaw. Threat Intelligence Team. (2023, May 16). THE DRAGON WHO SOLD HIS CAMARO: ANALYZING CUSTOM ROUTER IMPLANT. Retrieved December 26, 2023.
Open source URL -
[37]
LUMINOUS MOTH
(Citation: Microsoft Naming Conventions Frequently Updated)
-
[38]
Microsoft Naming Conventions Frequently Updated
Microsoft. (2025, September 8). How Microsoft names threat actors. Retrieved September 10, 2025.
Open source URL -
[39]
Mustang Panda
(Citation: Crowdstrike MUSTANG PANDA June 2018)
-
[40]
PWC UK MUSTANG PANDA RED LICH February 2021
PWC UK. (2021, February 28). Cyber Threats 2020: A Year in Retrospect. Retrieved October 15, 2025.
Open source URL -
[41]
Red Lich
(Citation: PWC UK MUSTANG PANDA RED LICH February 2021)
-
[42]
RedDelta
(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 Europe March 2022)
-
[43]
STATELY TAURUS
(Citation: Palo Alto Networks, Unit 42)(Citation: Unit42 Bookworm Nov2015)(Citation: Unit42 Chinese VSCode 06 September 2024)(Citation: Broadcom)(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)
-
[44]
TA416
(Citation: Proofpoint TA416 November 2020)
-
[45]
TANTALUM
(Citation: Microsoft Naming Conventions Frequently Updated)
-
[46]
TEMP.Hex
(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)
-
[47]
TWILL TYPHOON
(Citation: Microsoft Naming Conventions Frequently Updated)
-
[48]
UNC6384
(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)
-
[49]
mitre-attack G0129Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.