Home/Threat Actor/Mustang Panda
Threat Actor

Mustang Panda

mustang_panda · china · active since 2012

Mustang Panda (TA416 / RedDelta / BRONZE PRESIDENT / STATELY TAURUS / FIREANT / CAMARO DRAGON / EARTH PRETA / HIVE0154 / TWILL TYPHOON / TANTALUM / LUMINOUS MOTH / UNC6384 / TEMP.Hex / Red Lich / ClumsyToad / HoneyMyte / PKPLUG / G0129) is the most-aliased Chinese state-sponsored cyber-espionage cluster in the public corpus, active since at least 2012 and assessed to operate on behalf of PRC strategic interests, broadly aligned with MSS strategic-intelligence mission given the diplomatic- and-geopolitical targeting profile.

operationally distinguished by a 'volume over stealth' approach with high tempo and the broadest geographic footprint of any Chinese state-actor cluster in public reporting, spanning more than 35 countries across Southeast Asia (Myanmar, Vietnam, Philippines, ASEAN states), Europe (heavy timing to the Russian invasion of Ukraine for European-policy collection), the Vatican (the July 2020 RedDelta targeting of Vatican and Hong Kong Catholic Study Mission disclosed by Recorded Future), Mongolia and Tibet, Pakistan, India, Russia (the May 2022 Check Point Twisted Panda disclosure documenting Chinese targeting of Russian defense research, notable allied-on-allied collection), and Western/anglophone targets.

tradecraft signatures include PlugX/Korplug as the long-standing core implant with continuous variant development (Hodur, Camaro Dragon router-firmware variant), the TONESHELL custom backdoor introduced 2022 with TONEINS and PUBLOAD loaders, the post-January-2025-takedown LOTUSLITE backdoor and SnakeDisk USB worm retooling, the HoneyMyte kernel-mode rootkit + ToneShell evolution (Kaspersky 2026), heavy DLL side-loading via legitimately-signed binaries, tailored phishing lures themed to current geopolitical events (Mongolian decoys, Vatican-and- Catholic-mission themes 2020, COVID-themed government-directive impersonation 2020, Ukraine-invasion-response themes 2022, Venezuela-themed US-policy targets 2026), USB-worm propagation via LuminousMoth and SnakeDisk, and Cobalt Strike Beacon as the staging framework.

the January 2025 US DOJ-French coordinated law-enforcement operation removed PlugX from approximately 4,200 US victim computers, the first major coordinated US-French action against PRC state-actor infrastructure, but Mustang Panda demonstrated rapid retooling and continued aggressive operations through 2026.

china confidence: high 41 aliases MITRE ATT&CK G1014 ↗
Sigma rules200 YARA rules78 Live IOCs19 CVEs exploited11

Profile

Mustang Panda (TA416 / RedDelta / BRONZE PRESIDENT / STATELY TAURUS / FIREANT / CAMARO DRAGON / EARTH PRETA / HIVE0154 / TWILL TYPHOON / TANTALUM / LUMINOUS MOTH / UNC6384 / TEMP.Hex / Red Lich / ClumsyToad / HoneyMyte / PKPLUG / Polaris / BASIN / G0129) is the most-aliased Chinese state-sponsored cyber- espionage cluster in the public corpus, reflecting both its long operational history (since at least 2012) and the challenge of consolidating multi-vendor tracking. Mustang Panda is assessed by Microsoft, Mandiant, Google TAG, CrowdStrike, Recorded Future, ThreatConnect, IBM X-Force, Proofpoint, Trend Micro, ESET, and Kaspersky as operating on behalf of PRC strategic interests, broadly aligned with MSS strategic- intelligence mission given the diplomatic-and-geopolitical targeting profile. Mustang Panda is operationally distinguished by a 'volume over stealth' approach, high operational tempo, broad regional targeting across more than 35 countries, and willingness to reuse infrastructure and tooling across campaigns at scale.

The cluster maintains the broadest geographic footprint of any Chinese state-actor cluster in public reporting, spanning: Southeast Asia (Myanmar, Vietnam, Philippines, Indonesia, Malaysia, Thailand, Cambodia, Laos, Singapore, heavy focus aligned with PRC South China Sea and Belt-and-Road interests), Europe (UK, Germany, France, Belgium, Italy, Netherlands, Greece, Bulgaria, Romania, Czech Republic, Slovakia, Hungary, Poland, Sweden, heavily timed to Russian invasion of Ukraine for European-policy collection), the Vatican (the July 2020 RedDelta Vatican-and-Hong-Kong-Catholic-Study-Mission targeting disclosed by Recorded Future drew significant diplomatic attention), Mongolia and Tibet, Pakistan and India, Japan and South Korea, Russia (the May 2022 Check Point Twisted Panda disclosure documented Chinese APT targeting of Russian defense research institutes, a notable allied-on-allied collection), and Australia, the US, and broader anglophone targets. Tradecraft is characteristic Chinese state-actor: (a) PlugX (a.k.a. Korplug) as the long-standing core implant, with continuous variant development including the Hodur variant (ESET March 2022) and the Camaro Dragon custom router-firmware variant (Check Point May 2023); (b) TONESHELL custom backdoor introduced in 2022 (Trend Micro November 2022 Earth Preta disclosure) as the new-generation signature implant, alongside TONEINS and PUBLOAD loaders; (c) post-January-2025-takedown retooling with LOTUSLITE custom C++ backdoor (Acronis) and SnakeDisk USB worm (IBM X-Force); (d) the HoneyMyte kernel-mode rootkit + ToneShell evolution (Kaspersky 2026), significant capability maturation; (e) heavy DLL side-loading via legitimately-signed binaries (the broader Chinese state-actor pattern); (f) tailored phishing lures themed to current geopolitical events, Mongolian-language decoys (early operations), Vatican-and-Catholic-mission themes (2020), COVID-themed government-directive impersonation (2020), Ukraine-invasion- response themes (2022), Venezuela-themed US-policy targets (2026); (g) USB-worm propagation (LuminousMoth, SnakeDisk) for regional expansion in network environments without strong removable-media controls; (h) Cobalt Strike Beacon as the staging framework (Operation Dianxun); (i) operating-hours alignment with Chinese national holidays (the September 2020 pause coinciding with Chinese National Day provided strong attribution evidence).

The January 2025 US DOJ court-authorized international law- enforcement operation in collaboration with French authorities removed Mustang Panda PlugX malware from approximately 4,200 US-based victim computers, the first major coordinated US-French action against PRC state-actor infrastructure. Mustang Panda demonstrated rapid post-disruption resilience by retooling with LOTUSLITE and SnakeDisk within months, and continuing aggressive operations through 2026 including Venezuela-themed targeting of US government and policy organizations.

Aliases

41
mustang pandamustangpandata416reddeltared deltabronze presidentbronze_presidentstately taurusstately_taurusfireantfire_antcamaro dragoncamaro_dragonearth pretaearth_pretahive0154hive_0154twill typhoontwill_typhoontantalumluminous mothluminousmothunc6384unc_6384temp.hextemp hextempelhexred lichred_lichclumsytoadclumsy_toadhoneymytehoney_mytepkplugpk_plugpolarisbasinoperation dianxunoperation_dianxunmssg0129

Notable Campaigns

13
2026Venezuela-Themed Targeting of US Government and Policy Organizations (2026)
2025-2026HoneyMyte Kernel-Mode Rootkit Evolution (Kaspersky 2025-2026)
2025LOTUSLITE Custom Backdoor and SnakeDisk USB Worm (2025)
2025US DOJ Court-Authorized PlugX Infrastructure Takedown (January 2025)
2024Stately Taurus Targeting ASEAN-Australia Summit Attendees (Palo Alto Unit 42 March 2024)
2022Hodur Implant Against European Diplomatic Bodies (ESET March 2022)
2022Earth Preta / TONESHELL Spear-Phishing Governments Worldwide (Trend Micro November 2022)
2021LuminousMoth, Mongolian / Myanmar Government Compromise (Kaspersky July 2021)
2021Operation Dianxun, Telecommunications Sector Targeting (March 2021)
2020COVID-19 Themed Lures Against Southeast Asian Targets (2020)
2020RedDelta Targeting of Vatican and Hong Kong Catholic Parishes (Recorded Future July 2020)
2019BRONZE PRESIDENT Disclosure (Secureworks December 2019)
2018CrowdStrike Mustang Panda, Adversary of the Month (June 2018)

Attribution & Reporting

Attributed by
FBICISANSAUS Department of JusticeUS Department of TreasuryUK NCSCSingapore IMDASingapore CSAAustralia ACSCTaiwan NCSSTJapan NPAVaticanFive EyesMicrosoftMandiantFireEyeGoogle Cloud Threat IntelligenceGoogle Threat Analysis GroupCrowdStrikeKaspersky GReATTrend MicroCheck Point ResearchESETCybereasonSentinelOnePalo Alto Networks Unit 42ProofpointCisco TalosSymantec / BroadcomIBM X-ForceRecorded FutureInsikt GroupSecureWorksAcronis Threat Research UnitThreatConnectAhnLab ASECZScaler ThreatLabzViettel Cyber SecurityAviraVinCSSCitizen Lab
Key reporting
reportCrowdStrike: Meet CrowdStrike's Adversary of the Month for June, Mustang Panda (June 2018)
reportSecureworks: BRONZE PRESIDENT Targets NGOs (December 2019)
reportRecorded Future: Chinese State-Sponsored Group RedDelta Targets the Vatican and Catholic Organizations (July 28, 2020)
reportRecorded Future: Back Despite Disruption, RedDelta Resumes Operations (October 2020)
reportRecorded Future / Insikt Group: Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain (January 2025)
reportKaspersky GReAT: LuminousMoth APT, Sweeping Attacks for the Chosen Few (July 14, 2021)
reportKaspersky GReAT: The HoneyMyte APT Evolves with a Kernel-Mode Rootkit and a ToneShell Backdoor (2026)
reportESET: Mustang Panda's Hodur, Old Tricks, New Korplug Variant (March 23, 2022)
reportTrend Micro: Earth Preta Spear-Phishing Governments Worldwide (November 18, 2022)
reportTrend Micro: Earth Preta Cyberespionage Campaign Hits Over 200 (March 2023)
reportPalo Alto Networks Unit 42: Stately Taurus Activity in Southeast Asia (March 2024)
reportCheck Point Research: The Dragon Who Sold His Camaro, Camaro Dragon Custom Router Implant (May 2023)
reportCheck Point Research: Twisted Panda, Chinese APT Attacks Russian Defense Research Institutes (May 2022)
reportMcAfee Advanced Threat Research: Operation Dianxun, Cyberespionage Campaign Targeting Telecommunication Companies (March 2021)
reportMandiant: PRC-Aligned Information Operations Campaign (HaicluPRO)
reportUS DOJ: Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Group (January 2025)
reportAcronis Threat Research Unit: LOTUSLITE, Targeted Espionage Leveraging Geopolitical Themes (2025)
reportIBM X-Force: Hive0154 Drops Updated ToneShell Backdoor and SnakeDisk (2025)
reportSingapore IMDA / CSA: Advisory on Chinese APT Groups Target ASEAN Entities (March 2024)
reportProofpoint: Exploitation of Political Events in Targeted Attacks (TA416 multiple, 2020-2025)
reportAhnLab Cyber Threat Intelligence: Threat Trend Report on Mustang Panda (2021)
reportThreatConnect: Mustang Panda Intelligence Dashboard
reportPicus Security: Mustang Panda Windows Endpoint Campaign Breakdown (2026)
reportAttackIQ: Emulating the Politically Motivated Chinese APT Mustang Panda
reportCYFIRMA: APT Profile, Mustang Panda
reportCouncil on Foreign Relations: Mustang Panda Cyber Operations Tracker
reportEuRepoC: APT Profile, Mustang Panda

Operational

State sponsor

People's Republic of China (PRC), assessed by Microsoft, Mandiant, Google TAG, CrowdStrike, Recorded Future, ThreatConnect, IBM X-Force, Proofpoint, Trend Micro, ESET, and Kaspersky as operating on behalf of PRC strategic interests. Specific PRC government unit not publicly named in open-source attribution.

ThreatConnect and others assess as state-sponsored under the People's Republic of China.

broadly aligned with MSS strategic-intelligence mission given the diplomatic-and-geopolitical targeting profile. Sustained tooling overlap with the broader Chinese state-actor PlugX ecosystem and 'volume over stealth' operational tempo distinctive among PRC clusters.

Motivations
espionage, intelligence_gathering, geopolitical_collection, diplomatic_intelligence, foreign_policy_collection, belt_and_road_intelligence, taiwan_focused_intelligence, vatican_targeting, chinese_diaspora_surveillance, chinese_religious_organizations_targeting, tibetan_community_surveillance, uyghur_diaspora_surveillance, regional_dominance, ngo_intelligence, influence_operations
Sectors
governmentforeign_ministriesdiplomaticembassiesintelligence_agenciesmilitarydefenselaw_enforcementnon_governmental_organizationsngosthink_tankshigher_educationacademiaresearch_institutesreligious_organizationsvaticancatholic_churchtibetan_buddhist_communityhuman_rights_organizationsdissidentsjournalistsmediatelecommunicationsaviationmaritime_logisticsshippinglaw_firmsit_service_providersfinancial_serviceshealthcareenergyutilitiesmanufacturing
Regions
united_statesunited_kingdomgermanyfrancebelgiumnetherlandsitalyvatican_cityspaingreecebulgariaromaniaczech_republicslovakiahungarypolandswedencyprusmongoliamyanmarpakistanvietnamrussiataiwanhong_kongtibetindiabangladeshnepalsri_lankathailandcambodialaosindonesiamalaysiaphilippinessingaporejapansouth_koreaaustralianew_zealandpapua_new_guineaethiopiasouth_sudansouth_africamiddle_easteuropesoutheast_asiaeast_asiaasia_pacificafricanorth_america

Techniques Used

60
T1003T1003.001T1005T1012T1016T1018T1021T1021.001T1021.002T1025T1027T1027.001T1027.002T1027.005T1027.010T1027.013T1029T1033T1036T1036.005T1041T1047T1048T1048.003T1049T1052T1052.001T1053T1053.005T1055T1055.001T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1071T1071.001T1071.003T1074T1074.001T1078T1078.002T1082T1083T1087T1087.001T1087.002T1090T1090.002T1091T1095T1098

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)54/60 · 90%
Analytics (MITRE CAR)33/60 · 55%
Runtime / container (Falco)5/60 · 8%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

12 mapped
S0002 · MimikatzS0013 · PlugXS0020 · China ChopperS0029 · PsExecS0039 · NetS0057 · TasklistS0075 · RegS0096 · SysteminfoS0152 · EvilGrabS0160 · certutilS0190 · BITSAdminS0349 · LaZagne
Other tooling / TTPs (curation, not ATT&CK-mapped):
METERPRETERMQSTTANGMQS TTANGMQTTLOADMQTT LOADSNAKEDISKSNAKE DISKSPLHAK

CVEs Exploited

11
CVECVE-2017-0199
CVECVE-2017-11882
CVECVE-2018-0802
CVECVE-2018-20250
CVECVE-2021-26855
CVECVE-2021-34473
CVECVE-2021-44228
CVECVE-2022-30190
CVECVE-2023-23397
CVECVE-2023-36884
CVECVE-2024-21412
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin