← threatfilter.dev / all groups / Mustang Panda
Mustang Panda
Also known as: TA416 · RedDelta · BRONZE PRESIDENT · STATELY TAURUS · FIREANT · CAMARO DRAGON · EARTH PRETA · HIVE0154 · TWILL TYPHOON · TANTALUM · LUMINOUS MOTH · UNC6384 · TEMP.Hex · Red Lich · ClumsyToad
Overview
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam.
Targets
Civil society
Regions
Germany · United States
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
- Custom malware/implant development — ATT&CK: 18 attributed custom malware families
TTPs — 85 techniques across 14 tactics
Reconnaissance
-
T1593Search Open Websites/Domains -
T1598.003Spearphishing Link
Resource Development
-
T1583.001Domains -
T1583.006Web Services -
T1585.002Email Accounts -
T1586.002Email Accounts -
T1587.001Malware -
T1588.002Tool -
T1588.003Code Signing Certificates -
T1588.004Digital Certificates -
T1608Stage Capabilities -
T1608.001Upload Malware
Initial Access
-
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059Command and Scripting Interpreter -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1059.007JavaScript -
T1072Software Deployment Tools -
T1106Native API -
T1129Shared Modules -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File
Persistence
-
T1176.002IDE Extensions -
T1505.003Web Shell -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
Stealth
-
T1027Obfuscated Files or Information -
T1027.007Dynamic API Resolution -
T1027.012LNK Icon Smuggling -
T1027.016Junk Code Insertion -
T1036.005Match Legitimate Resource Name or Location -
T1036.007Double File Extension -
T1036.008Masquerade File Type -
T1070Indicator Removal -
T1070.004File Deletion -
T1070.006Timestomp -
T1140Deobfuscate/Decode Files or Information -
T1205Traffic Signaling -
T1218.004InstallUtil -
T1218.005Mshta -
T1564.001Hidden Files and Directories -
T1574.001DLL -
T1574.005Executable Installer File Permissions Weakness -
T1622Debugger Evasion -
T1678Delay Execution
Defense Impairment
-
T1553.002Code Signing
Credential Access
-
T1003OS Credential Dumping -
T1003.001LSASS Memory -
T1003.003NTDS -
T1003.006DCSync -
T1557Adversary-in-the-Middle
Discovery
-
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1046Network Service Discovery -
T1049System Network Connections Discovery -
T1057Process Discovery -
T1069.002Domain Groups -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087.002Domain Account -
T1518Software Discovery -
T1654Log Enumeration
Lateral Movement
Collection
-
T1074.001Local Data Staging -
T1119Automated Collection -
T1560.001Archive via Utility -
T1560.003Archive via Custom Method
Command and Control
-
T1001.003Protocol or Service Impersonation -
T1071.001Web Protocols -
T1095Non-Application Layer Protocol -
T1102Web Service -
T1105Ingress Tool Transfer -
T1219.001IDE Tunneling -
T1219.002Remote Desktop Software -
T1572Protocol Tunneling -
T1573.001Symmetric Cryptography
Exfiltration
-
T1041Exfiltration Over C2 Channel -
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol -
T1052.001Exfiltration over USB -
T1567.002Exfiltration to Cloud Storage
Tools & malware (23)
CANONSTAGER · STATICPLUGIN · ShadowPad · TONESHELL · Cobalt Strike · HIUPAN · Impacket · SplatCloak · PAKLOG · Wevtutil · AdFind · CLAIMLOADER · Mimikatz · PUBLOAD · StarProxy · CorKLOG · RCSession · NBTscan · PoisonIvy · SplatDropper · BOOKWORM · China Chopper · PlugX
Reporting (3)
- Introducing the 2026 Cloudflare Threat Report — Cloudflare
- How Microsoft names threat actors — Microsoft
- Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats — Patrick Whitsell