Mustang Panda

Active

Also known as: Mustang Panda, TA416, RedDelta, BRONZE PRESIDENT, STATELY TAURUS, FIREANT, CAMARO DRAGON, EARTH PRETA, HIVE0154, TWILL TYPHOON, TANTALUM, LUMINOUS MOTH, UNC6384, TEMP.Hex, Red Lich

🇨🇳

China

Active Since

2021

MITRE ID

G0129

Techniques

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. (Citation: BlackBerry MUSTANG PANDA October 2022)(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)(Citation: Zscaler)

MITRE ATT&CK Techniques

Recon2

T1593Search Open Websites/Domains

T1598.003Spearphishing Link

Resource10

T1588.003Code Signing Certificates

T1588.004Digital Certificates

T1583.001Domains

T1586.002Email Accounts

T1585.002Email Accounts

T1587.001Malware

T1608Stage Capabilities

T1588.002Tool

+2 more

Initial2

T1566.001Spearphishing Attachment

T1566.002Spearphishing Link

Exec13

T1059Command and Scripting Interpreter

T1203Exploitation for Client Execution

T1059.007JavaScript

T1204.002Malicious File

T1204.001Malicious Link

T1106Native API

T1059.001PowerShell

T1053.005Scheduled Task

+5 more

Persist5

T1574.001DLL

T1574.005Executable Installer File Permissions Weakness

T1176.002IDE Extensions

T1547.001Registry Run Keys / Startup Folder

T1505.003Web Shell

PrivEsc1

T1546.003Windows Management Instrumentation Event Subscription

Defense18

T1553.002Code Signing

T1622Debugger Evasion

T1678Delay Execution

T1140Deobfuscate/Decode Files or Information

T1036.007Double File Extension

T1027.007Dynamic API Resolution

T1070.004File Deletion

T1564.001Hidden Files and Directories

+10 more

Creds5

T1557Adversary-in-the-Middle

T1003.006DCSync

T1003.001LSASS Memory

T1003.003NTDS

T1003OS Credential Dumping

Discovery11

T1087.002Domain Account

T1069.002Domain Groups

T1083File and Directory Discovery

T1654Log Enumeration

T1046Network Service Discovery

T1057Process Discovery

T1018Remote System Discovery

T1518Software Discovery

+3 more

Lateral1

T1091Replication Through Removable Media

Collect4

T1560.003Archive via Custom Method

T1560.001Archive via Utility

T1119Automated Collection

T1074.001Local Data Staging

C29

T1219.001IDE Tunneling

T1105Ingress Tool Transfer

T1095Non-Application Layer Protocol

T1001.003Protocol or Service Impersonation

T1572Protocol Tunneling

T1219.002Remote Desktop Software

T1573.001Symmetric Cryptography

T1071.001Web Protocols

+1 more

Exfil4

T1041Exfiltration Over C2 Channel

T1048.003Exfiltration Over Unencrypted Non-C2 Protocol

T1052.001Exfiltration over USB

T1567.002Exfiltration to Cloud Storage

Impact0

Known Victims

live · just now

No victims recorded in ransomware.live for this group.