{ "id": "509cac90-19d5-4329-a93f-9c976bb93034", "created_at": "2026-04-06T00:12:22.588611Z", "updated_at": "2026-04-10T03:36:33.49863Z", "deleted_at": null, "sha1_hash": "1c7131841e2fa4e6dc6263f8e2cf46e2ae9e4fd7", "title": "Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 137704, "plain_text": "Mustang Panda PlugX - Reused Mutex and Folder Found in the\r\nExtracted Config\r\nPublished: 2021-05-27 ยท Archived: 2026-04-05 19:00:04 UTC\r\nFamily PlugX - Variant: XXXXXXXX Config Check\r\nThreat Actor Mustang Panda / Red Delta\r\nEncrypted de0f65a421ce8ee4a927f4f9228f29ff12be69ac71edecb18c35cb5101e4c3cf\r\nDecrypted 2bfd100498f70938dedef42116af09af2db77ef1315edcea0ffd62c93015ddf5\r\nXOR Decyption Key 0x4b, 0x73, 0x51, 0x4f, 0x74, 0x6d, 0x49, 0x68, 0x63, 0x43\r\nXOR Decryption Key Length 10\r\nSummary\r\nOn 2021-05-26 another encrypted Mustang Panda PlugX binary was uploaded to VirusTotal.\r\nThe extracted config contains values seen in prior Mustang Panda PlugX files.\r\n{\r\n \"config\": {\r\n \"cncs\": [\r\nhttps://blog.xorhex.com/blog/mustangpandaplugx-2/\r\nPage 1 of 2\n\n{\r\n \"num\": 1,\r\n \"host\": \"103.192.226.100\",\r\n \"port\": 80\r\n },\r\n {\r\n \"num\": 1,\r\n \"host\": \"103.192.226.100\",\r\n \"port\": 110\r\n },\r\n {\r\n \"num\": 1,\r\n \"host\": \"103.192.226.100\",\r\n \"port\": 8080\r\n },\r\n {\r\n \"num\": 1,\r\n \"host\": \"103.192.226.100\",\r\n \"port\": 5938\r\n }\r\n ],\r\n \"mutex\": \"MvyShgFjKjaJsMinCCgJ\",\r\n \"sleep\": 1000,\r\n \"folder\": \"AvastSvcZEg\"\r\n },\r\n \"extracted_from_sha256\": \"2bfd100498f70938dedef42116af09af2db77ef1315edcea0ffd62c93015ddf5\"\r\n}\r\nThis sample reuses both the Folder name and Mutex which were also found in the prior identified sample:\r\ne4981316b5fc251a5cea5d941303046dad13a9b993006ec07ff7727b17e0e17b.\r\nConfig Pivot\r\nClick a Node to Load Details Below\r\nSource: https://blog.xorhex.com/blog/mustangpandaplugx-2/\r\nhttps://blog.xorhex.com/blog/mustangpandaplugx-2/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.xorhex.com/blog/mustangpandaplugx-2/" ], "report_names": [ "mustangpandaplugx-2" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434342, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c7131841e2fa4e6dc6263f8e2cf46e2ae9e4fd7.pdf", "text": "https://archive.orkl.eu/1c7131841e2fa4e6dc6263f8e2cf46e2ae9e4fd7.txt", "img": "https://archive.orkl.eu/1c7131841e2fa4e6dc6263f8e2cf46e2ae9e4fd7.jpg" } }