Mustang Panda

mustang-panda · primary source: MITRE · first observed 2013

CN · ChinaState-sponsoredModerate confidencelast cited Nov 17, 2022 · 4y ago

PRC state-aligned intrusion set focused on espionage against European government and NGO targets, Southeast Asian government and military targets (especially around the South China Sea), Mongolia, Taiwan, and Tibetan and Uyghur diaspora communities. Heavy use of trojanized RAR/PlugX-laden archives as the primary first-stage delivery.

Aliases

Bronze PresidentOtherHoneyMyteOtherEarth PretaOtherRedDeltaOtherTWILL TYPHOONMicrosoft

Motivations

espionage

Target sectors

governmentngodefensediplomaticdissidents

Target countries

MMVNMNPHTHKHTWDEGBBE

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

Mustang Panda
China
espionage

Capability

Infrastructure

45.142.166.112

Victim

government
ngo
defense
MM
VN
+1 more

MITRE ATT&CK techniques

T1566.001 T1059.001 T1547.001 T1071.001

Tools & malware

2 entries

Timeline

1 event

ReportHigh2022-11-18·Trend Micro
Earth Preta spear-phishes Asia-Pacific governments at scale
Trend Micro documented Earth Preta (Mustang Panda) running a broad spear-phishing campaign against Asia-Pacific government and academic targets, delivering trojanised archives that side-loaded the TONEINS, TONESHELL, and PUBLOAD malware families on victims of interest.
spear-phishingchinaplugx

Indicators of compromise

3 indicators

defangedcsv

Type	Value	First seen	Source
IPv4	45[.]142[.]166[.]112 family · PlugX PlugX USB-worm command-and-control IP attributed to Mustang Panda. Sinkholed by Sekoia in September 2023 (the address had lapsed and was re-registered for USD 7). This is the same C2 the FBI/DOJ used for the court-authorized self-delete operation that cleaned ~4,258 U.S. hosts (announced Jan 2025).	Aug 31, 2023	Sekoia.io
SHA-256	e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d family · PlugX SHA-256 of the malicious `wsc.dll` PlugX loader from the border-hopping USB-worm variant attributed by Sophos X-Ops to PKPLUG / Mustang Panda. Listed in the IOC table of the March 2023 Sophos News disclosure and re-confirmed by Sekoia's September 2023 sinkholing report.	Mar 8, 2023	Sophos X-Ops
SHA-256	85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654 family · PlugX SHA-256 of `AvastSvc.exe`, the legitimate Avast binary abused for DLL side-loading by the Mustang Panda PlugX USB worm. Listed alongside the malicious DLL in the Sophos IOC table; drops the side-load triad into `%userprofile%/AvastSvcpCP/`.	Mar 8, 2023	Sophos X-Ops

Related actors

shared ATT&CK techniques

RU · RussiaGamaredon4 shared techniques
CN · ChinaNaikon4 shared techniques
IR · IranAPT393 shared techniques
KP · DPRKLazarus Group3 shared techniques
KP · DPRKAPT372 shared techniques
- T1071.001
- T1566.001
CN · ChinaAPT412 shared techniques
- T1059.001
- T1071.001

References

G0129 — Mustang Panda
MITRE ATT&CK

cite this page

Threat Intel Tracker. (2026-05-19). Mustang Panda — actor profile. Retrieved from https://threatintel.local/actors/mustang-panda

latest cited activity · 2022-11-18 · 3 cataloged indicators