EspionageChina🇨🇳 CN46 malware familiesExploits CVEs in the wild

Mustang Panda

Also known asAgonizing SerpensAgriusAMERICIUMBlackShadowBRONZE PRESIDENTCamaro Dragoncobalt_shadowDeadwoodEarth PretaFireantHIVE0154honeymyteJustice Bladeluminous_mothluminousmothmustang_pandamustangpandaPink SandstormRed Lichred_deltareddeltaSharpBoysSPECTRAL KITTENStately TaurusTA416TantalumTEMP.HexTwill TyphoonUNC6384

Mustang Panda is a Chinese espionage threat actor. The provided content links the group to Chinese interests and notes overlap with TA416 and RedDelta; aliases in the source also include Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, LuminousMoth, Red Lich, Stately Taurus, Tantalum, Temp.Hex, Twill Typhoon, and UNC6384. The content also references a reported link between the RA Group/RA World ransomware operation and Mustang Panda. In the provided material, Mustang Panda is notably associated with PlugX. Researchers have largely attributed PlugX compromises to espionage operators tied to Chinese interests, especially Mustang Panda, though the content notes speculation that PlugX source code may have circulated more broadly. A Mustang Panda PlugX variant created a hidden RECYCLE.BIN folder on USB drives to store malicious executables and collected data. The group is also described as hosting malicious payloads on Dropbox, including PlugX. Observed tradecraft in the source includes PowerShell execution; command and scripting interpreter use; sending malicious files that require direct victim interaction to execute; use of custom batch scripts to automatically collect files from targeted systems; and use of hidden storage on removable media. The content also associates Mustang Panda with Cisco IOS XE Guestshell enablement and destruction activity in a Splunk analytic annotation. Related activity attributed to the overlapping alias LuminousMoth in the provided content includes use of HTTP for command and control, hosting payloads on Dropbox, scanning for files in Documents, Desktop, Downloads, and other drives, collecting usernames via a malicious DLL, storing malicious binaries in hidden directories on victims' USB drives, obtaining malware such as Cobalt Strike, and splitting archived files into multiple parts to bypass a 5 MB limit.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇩🇪 Germany
🇮🇹 Italy
🇫🇷 France
🇪🇸 Spain
🇬🇧 United Kingdom

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

58 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics86 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1598

Phishing for Information

TA0042

Resource Development

3 techniques

T1584

Compromise Infrastructure

T1584.006

Web Services

T1587

Develop Capabilities

T1587.001

Malware

T1588

Obtain Capabilities

T1588.001

Malware

TA0001

Initial Access

5 techniques

T1078×2

Valid Accounts

T1091×2

Replication Through Removable Media

T1133

External Remote Services

T1190×3

Exploit Public-Facing Application

T1566×2

Phishing

T1566.001

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

4 techniques

T1059

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.003×3

Windows Command Shell

T1129

Shared Modules

T1204

User Execution

T1204.002×2

Malicious File

T1574

Hijack Execution Flow

T1574.001×3

DLL

TA0003

Persistence

5 techniques

T1078×2

Valid Accounts

T1133

External Remote Services

T1505

Server Software Component

T1505.003

Web Shell

T1543

Create or Modify System Process

T1543.003×3

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

4 techniques

T1055

Process Injection

T1078×2

Valid Accounts

T1543

Create or Modify System Process

T1543.003×3

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

TA0005

Stealth

10 techniques

T1027×3

Obfuscated Files or Information

T1027.007

Dynamic API Resolution

T1027.009

Embedded Payloads

T1036×4

Masquerading

T1055

Process Injection

T1070

Indicator Removal

T1070.004

File Deletion

T1078×2

Valid Accounts

T1140×5

Deobfuscate/Decode Files or Information

T1497×2

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1564

Hide Artifacts

T1564.001×2

Hidden Files and Directories

T1574

Hijack Execution Flow

T1574.001×3

DLL

T1620×3

Reflective Code Loading

TA0006

Credential Access

2 techniques

T1003

OS Credential Dumping

T1056

Input Capture

T1056.001

Keylogging

TA0007

Discovery

7 techniques

T1016

System Network Configuration Discovery

T1018

Remote System Discovery

T1033

System Owner/User Discovery

T1082×2

System Information Discovery

T1083×2

File and Directory Discovery

T1087

Account Discovery

T1497×2

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0008

Lateral Movement

2 techniques

T1021

Remote Services

T1021.001

Remote Desktop Protocol

T1091×2

Replication Through Removable Media

TA0009

Collection

7 techniques

T1005×2

Data from Local System

T1056

Input Capture

T1056.001

Keylogging

T1074

Data Staged

T1113

Screen Capture

T1119

Automated Collection

T1213

Data from Information Repositories

T1213.002

Sharepoint

T1560×2

Archive Collected Data

T1560.001

Archive via Utility

TA0011

Command and Control

3 techniques

T1071×4

Application Layer Protocol

T1071.001×4

Web Protocols

T1105×2

Ingress Tool Transfer

T1219×2

Remote Access Tools

TA0010

Exfiltration

2 techniques

T1030

Data Transfer Size Limits

T1041×3

Exfiltration Over C2 Channel

TA0040

Impact

2 techniques

T1485

Data Destruction

T1486×2

Data Encrypted for Impact

ARSENAL

Associated malware families

46 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

PlugXSymantec confirmed that RA World was used by China-based threat actors in attacks targeting software and services companies, and the link between the two groups was revealed when analysis showed that the PlugX used in the attacks had the same timestamp as that previously used by Mustang Panda.25Jun 25, 2026

Cobalt StrikeFor C0015, the threat actors used Cobalt Strike and Conti ransomware.5Jun 14, 2026

LOTUSLITEThis investigation examines the intersection of two active threat campaigns: (1) the LOTUSLITE backdoor attributed to Mustang Panda (Chinese APT)... LOTUSLITE Campaign (Mustang Panda) ... DLL sideloading: KuGou player loads kugou.dll (LOTUSLITE).5Apr 25, 2026

PUBLOADThe earlier Stately Taurus attacks delivered the PubLoad malware and used the DLL sideloading technique to execute the malware... This malicious payload is a variant of PubLoad, which is stager malware that communicates with its command and control (C2) server to obtain a second shellcode-based payload.5Jun 14, 2026

TONESHELLWhile analyzing the Bookworm samples, we found a variant of the ToneShell backdoor... The close proximity in compile times and the shared debug path between the two samples suggests that the same developer could have created samples of the two malware families... It’s believed that only Stately Taurus uses ToneShell.5Jun 14, 2026

41 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

15 CVEs this actor has used in observed campaigns. 15 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence9

Microsoft has been aware of the flaw, tracked as CVE-2025-9491, at least since September 2024, when the Zero Day Initiative identified it as ZDI-25-148 and ZDI-CAN-25373 and notified Redmond. The vulnerability exists in how Windows processes .lnk files, which are desktop icons acting as a shortcut to another file or application.

CVE-2017-0199Microsoft Office/WordPad Remote Code Execution VulnerabilityIn the wildEvidence3

...used exploits for... Word (CVE-2017-0199)...

CVE-2018-13379Fortinet FortiOS SSL VPN Path TraversalIn the wildEvidence2

Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices... APT29 has exploited ... CVE-2018-13379 for FortiGate VPNs... Dragonfly ... exploited ... CVE-2018-13379 for Fortinet VPNs... Magic Hound ... exploited ... Fortios SSL VPNs (CVE-2018-13379). Play ... including CVE-2018-13379 ... in FortiOS.

CVE-2021-1675PrintNightmare / Windows Print Spooler RCE in CVE-2021-1675 contextIn the wildEvidence1

Details on Exploited Vulnerabilities ... CVE-2021-1675 Microsoft Windows ... YARA Rules ... reference = “... PrintNightmare and MSHTML exploits” ... $cve1 = “CVE-2021-1675”

CVE-2021-31207Post-auth Arbitrary File Write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

10 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

677 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

677 IOCsView more in app

hash.sha256

353 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+345

Domains

171 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+163

ip.v4

54 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+46

uri

43 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+35

hash.md5

38 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+30

hash.sha1

18 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+10

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

lab52 blogNews

Jun 17, 2026

From China with tenderness

Referenced as one of the Chinese cyber threat groups used by researchers to label MSS-linked activity targeting Europe.

splunk researchNews

Jun 14, 2026

Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

gurucul threat researchNews

Jun 10, 2026

Mustang Panda x PlugX - Analysis of the January 2026 Sample: A Multi-Layer Execution Chain | Community Portal | Gurucul

Conducting a multi-stage malware campaign delivering PlugX RAT, using layered execution and evasion techniques, and targeting government and diplomatic entities.

acronisNews

Jun 10, 2026

Behind Khmer Shadow: Targeted espionage against Cambodian government entities

Referenced as a group previously observed using vmtools.dll as a sideloading target.

+196 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping58

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal46

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs15

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables677

Domains, IPs, and hashes tied to this actor, refreshed continuously.