{ "id": "efa043d1-66b0-43a5-8416-d9af8c1ac2c4", "created_at": "2026-04-06T00:09:07.847522Z", "updated_at": "2026-04-10T03:36:33.904515Z", "deleted_at": null, "sha1_hash": "32f122fdedf28f1b781ce02d6b13c154bb7a6140", "title": "Mustang Panda: ToneShell and StarProxy | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 206361, "plain_text": "Mustang Panda: ToneShell and StarProxy | ThreatLabz\r\nBy Sudeep Singh, ThreatLabz\r\nPublished: 2025-04-16 · Archived: 2026-04-05 15:44:32 UTC\r\nTechnical Analysis\r\nMustang Panda packs their tools in archive files hosted on a staging server. All the tools detected by ThreatLabz\r\nutilized DLL sideloading to execute malicious payloads to evade endpoint detection products.\r\nWe will first examine new versions of a known Mustang Panda tool known as ToneShell. ToneShell is designed to\r\ndownload malicious payloads and execute attacker-specified commands on target machines.\r\nToneShell\r\nToneShell is one of Mustang Panda's most frequently used malware tools. Since the core functionality has already\r\nbeen publicly documented, this analysis focuses solely on the recent changes worth highlighting. This section\r\nexamines three variants of ToneShell: Variants 1 and 3 were discovered on Mustang Panda’s staging server, while\r\nVariant 2 was identified through a third-party malware repository bundled in a ZIP file instead of a RAR file. \r\nAll three ToneShell variants were found in archive files, which include a legitimate executable (EXE) file and a\r\nDLL file (ToneShelll) which is sideloaded. \r\nToneShell Variant Archive Filename Executable Name DLL Name\r\n1 cf.rar mrender.exe libcef.dll\r\n2 ru.zip FastVD.exe LogMeIn.dll\r\n3 zz.rar gpgconf.exe libgcrypt-20.dll\r\nTable 1: Example ToneShell variant filenames.\r\nSeed generation\r\nRandom number generators are utilized in multiple sections of ToneShell’s code for two primary purposes:\r\nAs a fallback mechanism to generate a 16-byte GUID if  CoCreateGuid() fails (as described in the\r\nfollowing section).\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 1 of 11\n\nTo generate a rolling XOR key, which encrypts and decrypts data exchanged between the victim’s machine\r\nand the C2 server.\r\nEach random number generator requires a seed, which ToneShell derives using various methods. These methods\r\nare listed in the table below.\r\nVariant Description\r\nVariant\r\n1\r\nDerives the seed by calling  GetTickCount and adding a constant value to it.\r\nVariant\r\n2\r\nDerives the seed by calling  GetTickCount twice and multiplying the return values together.\r\nVariant\r\n3\r\nDerives the Unix epoch timestamp from the Windows FILETIME format using the code shown\r\nbelow.\r\nTable 2: ToneShell random number seed generation.\r\nseed=(*(_QWORD*)\u0026SystemTimeAsFileTime-116444736000000000i64)/10000000;\r\nCreation of GUID file\r\nEach ToneShell variant observed in-the-wild generates a GUID, or a value derived from the GUID, and writes it to\r\na file on the filesystem. This GUID is used to uniquely identify the infected machine. Recent variants display\r\nsubtle changes in how this file is created. The table below shows how the three different ToneShell variants create\r\nthe GUID file.\r\nVariant Description\r\nVariant\r\n1\r\n1. Calls CoCreateGuid to create a 16-byte GUID.\r\nIf this fails, an array of 16 bytes is created, and populated with random bytes using\r\na linear congruential generator (LCG).\r\n2. The generated 16-byte value is written to a file ( C:\\Users\\public\\description.ini ).\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 2 of 11\n\nVariant Description\r\nVariant\r\n2\r\n1. Calls CoCreateGuid to create a 16-byte GUID.\r\nIf this fails, an array of 16 bytes is created, and populated with random bytes using\r\na linear congruential generator (LCG).\r\n2. Hashes the GUID to generate a 32-bit hash using a custom hash algorithm.\r\n3. The 32-bit hash value is then written to a file\r\n( C:\\ProgramData\\bcryptprimitive.appcore.tbi ).\r\nVariant\r\n3\r\n1. Calls CoCreateGuid to create a 16-byte GUID.\r\nIf this fails, the malware creates an array of 16 random bytes, using the  rand()\r\nfunction.\r\n2. Randomly generates a value up to 64KB that is used to determine the length of an array,\r\nusing a custom LCG.\r\n3. Creates and populates the variable length array with randomly generated bytes, using\r\nthe  rand() function.\r\n4. Writes the length of the array, the GUID, and the randomly generated array to a file\r\n( %temp%\\cryption_event.ini ) using the structure shown below.\r\nTable 3: Shows how each ToneShell variant creates the GUID file. \r\nstructGUIDFILE\r\n{\r\nDWORDtotal_length;\r\nBYTEguid[16];\r\nDWORDlength_of_random_byte_array;// 64KB max size\r\nBYTErandom_byte_array[];\r\n}\r\nRolling XOR key\r\nToneShell employs a rolling XOR key to encrypt and decrypt network traffic exchanged with its C2 server. This\r\nXOR key is generated using an LCG, seeded by values derived through methods previously described. The XOR\r\nkey size varies across ToneShell variants, with Team T5 documenting sizes ranging from 0x20 to 0x200. \r\nVariant 1 uses a 0x100-byte XOR key\r\nVariant 2 uses a 0x100-byte XOR key \r\nVariant 3 uses a 0x200 byte XOR key\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 3 of 11\n\nThis aligns with Mustang Panda's tactic of rapidly iterating and modifying their tools, likely to evade detection.\r\nFakeTLS header\r\nFakeTLS headers are a key feature of ToneShell, which helps disguise the malware’s network activity. They are\r\nused to mimic the TLS protocol in network traffic exchanged between the infected machine and the C2 server.\r\nEarlier ToneShell variants utilized the FakeTLS header with the bytes  0x17 0x03 0x03 , corresponding to\r\nTLSv1.2. However, newer variants have introduced the FakeTLS header bytes  0x17 0x03 0x04 , to spoof\r\nTLSv1.3. Interestingly, in Variant 2, the TLSv1.3 FakeTLS header was used for sending beacons, while the server\r\ncontinued responding with the older TLSv1.2 header.\r\nThis modification appears to be an attempt by the threat actor to evade network signature-based detection systems\r\nthat rely on identifying specific FakeTLS header patterns.\r\nC2 commands\r\nToneShell variants continue to utilize a custom TCP-based protocol. Compared to earlier versions, these newer\r\nvariants focus primarily on executing payloads received from the C2, reflecting Mustang Panda's pattern of\r\niterating their tools, likely to evade detection while adopting a more minimalist design for remote shells.\r\nVariant 1 is a very minimal backdoor, which receives files and acts as a reverse shell. The table below shows the\r\nC2 commands supported by Variant 1.\r\nCommand\r\nNumber\r\nDescription\r\n1 Receives and processes the next command from the C2 server.\r\n2 Creates an empty file at the C2-specified file path and stores the file handle.\r\n3 Appends the bytes received to an open file handle (from Command 2).\r\n4\r\nAppends the bytes received to an open file handle (from Command 2), closes the file\r\nhandle, and frees up the file path string in memory thereafter.\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 4 of 11\n\nCommand\r\nNumber\r\nDescription\r\n5\r\nCreates a reverse shell (cmd.exe), redirecting both stdin and stdout. ToneShell keeps track of\r\nthis subprocess using an ID received from the C2 server. A background thread is created to\r\ncontinually send the output from the subprocess back to the C2 server.\r\n6 Finds the subprocess with the given ID and writes to its standard input.\r\n7 Terminates the subprocess with the given ID.\r\nTable 4: C2 commands supported by Variant 1 of ToneShell.\r\nVariant 2 specifically includes functionality to download DLLs from the C2 and execute them within victim\r\nprocesses through DLL injection. The table below shows the C2 commands supported by Variant 2.\r\nCommand\r\nNumber\r\nDescription\r\n1 Receives and processes the next command from the C2 server.\r\n2 Pauses operation for 3 minutes.\r\n3 Terminates the current process.\r\n4 Retrieves the name of the infected machine.\r\n5 Identifies usernames that are not built-in accounts.\r\n6 Specifies the file path to create a new file (used in Command 8).\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 5 of 11\n\nCommand\r\nNumber\r\nDescription\r\n7 Defines the size of the file to be downloaded (used in Command 8).\r\n8 Creates and writes a DLL file likely used in conjunction with Command 10.\r\n9\r\nUpdates the configuration for the executable path used in shellcode injection (Command 10).\r\nDefaults to  C:\\WINDOWS\\system32\\svchost.exe .\r\n10\r\nThis command creates a child process using the victim executable path specified by command\r\n9. Command 10 also supports an option via a parameter to perform token impersonation when\r\ncreating the process. ToneShell then decodes shellcode that is hardcoded into the malware with\r\nrandomized padding bytes, and specific arguments, including  dwGUIDHash (the 32-bit GUID\r\nhash),  wUnkSig (an unknown signature),  dwC2IPAddress (the IP address of the C2),\r\nand  szFilePath (the path to the DLL that will be injected into the child process). The\r\npatched shellcode is then written to the child process, which will load the specified DLL by\r\ninvoking  LoadLibraryA(szFilePath) . The first ordinal of this DLL is resolved by\r\nusing  GetProcAddress(hModule, 1) and the ordinal is called with the respective\r\narguments:  dwGUIDHash ,  wUnkSig , and  dwC2IPAddress .\r\nTable 5: C2 commands supported by Variant 2 of ToneShell.\r\nToneShell Variant 3 includes functionality to download files and create a subprocess that redirects standard input\r\n(stdin), standard output (stdout), and standard error (stderr) streams to the C2 server. The table below shows the\r\nC2 commands supported by Variant 3.\r\nCommand\r\nNumber\r\nDescription\r\n3 Creates an empty file at the C2-specified file path and stores the file handle.\r\n4\r\nOpens an existing file at the C2-specified file path, moves to the end of the file, and\r\nstores the file handle.\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 6 of 11\n\nCommand\r\nNumber\r\nDescription\r\n5 Appends bytes received from the C2 to an open file handle (from Command 3).\r\n6 Deletes the file used in commands 3, 4, or 5.\r\n7\r\nExecutes a subprocess using the command-line received from the C2, redirecting the\r\nstdin, stderr, and stdout subprocess.\r\n8 Transfers bytes received from the C2 to the stdin subprocess and reads its output.\r\n9 Retrieves the output of the subprocess.\r\n10 Terminates the subprocess and closes all associated handles.\r\nTable 6: C2 commands supported by Variant 3 of ToneShell.\r\nStarProxy\r\nThreatLabz uncovered a new lateral movement tool associated with Mustang Panda’s operations, which we\r\nnamed StarProxy. This tool was found within a RAR archive hosted on the group’s staging server with the\r\nname  client.rar . The archive contains two files: a legitimate, signed binary ( IsoBurner.exe ) and a malicious\r\nDLL ( StarBurn.dll ), which is the StarProxy tool. The StarProxy DLL is sideloaded when the  IsoBurner.exe\r\nfile is executed.\r\nOnce active, StarProxy allows attackers to proxy traffic between infected devices and their C2 servers. StarProxy\r\nachieves this by utilizing TCP sockets to communicate with the C2 server via the FakeTLS protocol, encrypting\r\nall exchanged data with a custom XOR-based encryption algorithm. Additionally, the tool uses command-line\r\narguments to specify the IP address and port for communication, enabling attackers to relay data through\r\ncompromised machines. The figure below illustrates how StarProxy proxies traffic.\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 7 of 11\n\nFigure 1: High-level diagram of StarProxy activity.\r\nGiven the features of the malware, and the use of command-line arguments, Mustang Panda likely uses StarProxy\r\nas a post-compromise tool to access systems that are not reachable directly over the Internet.\r\nInitialization\r\nThe StarProxy DLL contains a malicious export function named StarBurn_UpStartEx, which expects two\r\ncommand-line arguments: a C2 IP address and a port number. Upon execution, the DLL attempts to connect to the\r\nspecified C2 IP address. If the connection fails, StarProxy will keep retrying until it succeeds, waiting for one\r\nsecond in between attempts.\r\nBeaconing\r\nOnce a connection to the C2 server is successfully established, StarProxy beacons to the C2 to receive commands.\r\nIf the C2 server signals that there are no commands, StarProxy waits for one second before beaconing again. If the\r\nC2 server signals that there are further commands to execute, StarProxy makes additional requests to the C2\r\nserver to retrieve the commands and execute them.\r\nPacket encryption and decryption\r\nAll messages exchanged between the client and the C2 server are encrypted using two hardcoded 0x100-byte\r\nXOR keys. Details of the XOR keys and the encryption algorithm are available on the ThreatLabz GitHub page.\r\nC2 protocol\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 8 of 11\n\nRequest Header\r\nAll messages sent by StarProxy to the C2 server are prefixed with a request header ( SEND_HEADER ), which\r\nincludes the fields below.\r\nstruct SEND_HEADER\r\n{\r\n BYTE fake_tls_header[3]; // 0x17 0x03 0x03.\r\n WORD message_size; // Size of data after the FakeTLS header.\r\n DWORD zero; // Zero bytes (start of encrypted data with a hardcoded key).\r\n WORD message_type; // C2 message type.\r\n WORD buffer_size; // Buffer size specific to each message type.\r\n}\r\nResponse header \r\nAll messages sent by the C2 to StarProxy are prefixed with a response header ( RECV_HEADER ), which includes the\r\nfields below.\r\nstruct RECV_HEADER\r\n{\r\n BYTE fake_tls_header[3]; // 0x17 0x03 0x03.\r\n WORD buffer_size; // Size of the message body (RECV_BODY).\r\n}\r\nNotably, the FakeTLS header in these messages is designed to impersonate the TLSv1.2 protocol similar to the\r\nearlier ToneShell variants.\r\nResponse body ( RECV_BODY )\r\nThe  RECV_HEADER is followed by the  RECV_BODY , which includes the command number and data specific to the\r\ncorresponding command. The generic structure of the  RECV_BODY is shown below.\r\nstruct RECV_BODY\r\n{\r\n DWORD unused1;\r\n WORD command_number; // The ID of the command to be executed.\r\n WORD unused2;\r\n BYTE body[]; // Body data (variable length array).\r\n}\r\nBeacon message\r\nAs mentioned in the beaconing section above, StarProxy sends a beacon message ( CMD_0_MESSAGE ) at regular\r\nintervals to check for commands to be executed. The structure of the beacon message is shown in the table below.\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 9 of 11\n\nstruct BEACON_MESSAGE\r\n{\r\n SEND_HEADER send_header; // message_type = 0 to indicate beacon message.\r\n DWORD hash_of_rand_arr; // The hash of a randomly generated array with variable length, computed using a cu\r\n DWORD size_of_rand_arr; // Number of bytes occupied by the random array. This is always a multiple of four.\r\n BYTE rand_arr[]; // A variable-length random array, likely used to verify the correct decryption of m\r\n}\r\nStarProxy uses the following convoluted process to generate the array of random bytes:\r\nCalls  GetLocalTime() to retrieve a  SystemTime structure.\r\nAdds up all members of the  SystemTime structure to generate a seed.\r\nThe seed is used to initialize a pseudo-random number generator (PRNG) using  srand() .\r\nGenerates a random number between 1 and 16. This value will be the variable length (in bytes) of the array\r\ncontaining 32-bit integers.\r\nThe array is filled with randomly generated 32-bit integers, which are then used to generate a 32-bit hash.\r\nIn response to the beacon message, StarProxy expects the following response format from the C2:\r\nstruct BEACON_MESSAGE_RESPONSE\r\n{\r\n RECV_HEADER recv_header; // Contains the FakeTLS header and message size.\r\n DWORD unused;\r\n DWORD has_command; // 0: command data present; any other value: no data present.\r\n}\r\nC2 command handler\r\nThe StarProxy client supports 5 command IDs ( RECV_BODY.wCmdNum ). The table below describes each command\r\nID and its purpose.\r\nCommand\r\nID\r\nDescription\r\n1 Command 1 appears to be a ping command.\r\n2\r\nCommand 2 also appears to be a ping command, implemented exactly as command 1. The\r\npurpose of this duplicated command is unclear.\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 10 of 11\n\nCommand\r\nID\r\nDescription\r\n3\r\nCommand 3 directs StarProxy to set up a TCP connection to a target IP or domain. Once the\r\nconnection is established, StarProxy sends the newly created socket descriptor to the C2.\r\nStarProxy then sets up a background thread to receive data from the target and forward it back\r\nto the C2.\r\nCommand 3 is used in conjunction with command 4 to establish two-way communication with\r\nthe target.\r\nWhile this sample of StarProxy is hardcoded to set up a TCP connection, StarProxy contains\r\ncode which supports both UDP and TCP connections.\r\n4 Forwards message to specified socket descriptor.\r\n5 Closes the socket descriptor specified by the StarProxy C2 server.\r\nTable 7: Lists StarProxy commands.\r\nThe purpose of the duplicate command handlers 1 and 2 is not clear, but could suggest that StarProxy is still under\r\ndevelopment.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1" ], "report_names": [ "latest-mustang-panda-arsenal-toneshell-and-starproxy-p1" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434147, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32f122fdedf28f1b781ce02d6b13c154bb7a6140.pdf", "text": "https://archive.orkl.eu/32f122fdedf28f1b781ce02d6b13c154bb7a6140.txt", "img": "https://archive.orkl.eu/32f122fdedf28f1b781ce02d6b13c154bb7a6140.jpg" } }