top of page
Mitre
Alias
Basin, Honeymyte, Bronze President, Temp.hex, Mustang Panda, Earth Preta, Red Lich
Country
China
Sponsor
China. State-sponsored, State-sponsored
Motivation
Information Theft And Espionage
First Seen
2012
Description
(CrowdStrike) In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX.
Recently, Falcon Intelligence observed new activity from Mustang Panda, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, Mustang Panda actors reused previously-observed legitimate domains to host files.
Also see {{RedDelta}}.
Targeted
Industries
Government, Education, Telecommunications, Ngos, Civil Society, Aviation, Think Tanks
Targeted
Countries
Hong Kong, Myanmar, Vietnam, Pakistan, Un, Cyprus, Philippines, China, Bulgaria, Russia, Germany, Greece, Taiwan, Usa, Nepal, Uk, United States, Japan, Bangladesh, India, South Sudan, Belgium, Australia, Mongolia, Thailand, Ethiopia, South Africa, Singapore, South Korea, Indonesia
Tools
Pubload
Poison Ivy
Nmap
Pve Find Ad Users
Toneshell
Cobalt
Teamviewer
Powerview
China
Rcsession
Pve
Plugx
Cobalt Strike
China Chopper
Mqsttang
Netview
Orat
Adfind
Netsess
Wmiexec
Nbtscan
Poison
Hodur
Toneins
TTP
Nil
Operations
Performed
[2014] secureworks Counter Threat Unit (ctu) Researchers Have Observed Bronze President Activity Since Mid-2018 But Identified Artifacts Suggesting That The Threat Actors May Have Been Conducting Network Intrusions As Far Back As 2014. (https://www.secureworks.com/research/bronze-president-targets-ngos)
[2019-08] in Mid-august 2019, The Anomali Threat Research Team Discovered Suspicious �.lnk� Files During Routine Intelligence Collection. While The Distribution Method Of These Documents Cannot Be Confirmed At This Time, It Is Likely That Spearphishing Is Being Utilized Because It Aligns With Mustang Panda�s Ttps, And It Is A Common Tactic Used Amongst Apt Actors. (https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#when:17:14:00z)
[2020-01] avira�s Advanced Threat Research Team Discovered A New Version Of Plugx From The Mustang Panda Apt That Is Used To Spy On Some Targets In Hong Kong And Vietnam. The Way That The Apt Actor Infects The Target, And Launches The Malicious Payload Is Similar To Previous Versions�but With Some Differences. (https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/)
[2020-03] vietnamese Cyber-security Firm Vincss Detected A Chinese State-sponsored Hacking Group (codenamed Mustang Panda) Spreading Emails With A Rar File Attachment Purporting To Carry A Message About The Coronavirus Outbreak From The Vietnamese Prime Minister. (https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-covid-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-nguyen-xuan-phuc.html)
[2020-03] atr Identified That The Higaisa And Mustang Panda Advanced Persistent Threat (apt) Groups Have Been Utilizing Coronavirus-themed Lures In Their Campaigns. (https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication#when:14:00:00z)
[2021-03] indonesian Intelligence Agency Compromised In Suspected Chinese Hack (https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/)
[2021-08] mustang Panda�s Hodur: Old Tricks, New Korplug Variant (https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/)
[2022-02] mustang Panda Or Temp.hex, A China-based Threat Actor, Targeted European Entities With Lures Related To The Ukrainian Invasion. (https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/)
[2022-02] mustang Panda Deploys A New Wave Of Malware Targeting Europe (https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html)
[2022-02] mustang Panda Uses The Russian-ukrainian War To Attack Europe And Asia Pacific Targets (https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets)
[2022-03] bronze President Targets Russian Speakers With Updated Plugx (https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx)
[2022-03] earth Preta Spear-phishing Governments Worldwide (https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html)
[2022-06] bronze President Targets Government Officials (https://www.secureworks.com/blog/bronze-president-targets-government-officials)
[2022] earth Preta�s Cyberespionage Campaign Hits Over 200 (https://www.trendmicro.com/en_us/research/23/c/earth-preta-cyberespionage-campaign-hits-over-200.html)
[2022-10] pack It Secretly: Earth Preta�s Updated Stealthy Strategies (https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html)
[2023-01] mqsttang: Mustang Panda�s Latest Backdoor Treads New Ground With Qt And Mqtt (https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/
Counter
Operations
Nil
Information
bottom of page