{ "id": "f3385ec3-af24-429a-b550-7445d6344837", "created_at": "2026-04-06T00:08:04.056865Z", "updated_at": "2026-04-10T03:36:33.438832Z", "deleted_at": null, "sha1_hash": "3e7325eb01e03f4900ec94cf132dc300a5564542", "title": "New Mustang Panda’s campaing against Australia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 421144, "plain_text": "New Mustang Panda’s campaing against Australia\r\nPublished: 2023-05-03 · Archived: 2026-04-05 14:32:07 UTC\r\nAUKUS (Australia-United Kingdom-United States) is a strategic military alliance between these territories that\r\nbecame a reality in 2021, whose main objective is to build nuclear-powered submarines to counter the threat from\r\nChina in the Indo-Pacific region. This agreement also includes the sharing of cyber capabilities and other\r\nsubmarine technologies. Some sources point out that this is not a security pact, but is rather intended to “elevate\r\nthe intelligence and deterrence value of conventional capabilities”.\r\nThe key facts of this alliance are as follows:\r\nThe US pledged to invest $4.6 billion in the deal. Australia, for its part, will buy at least three second-hand\r\nsubmarines from the US early in the next decade. However, the US Congress has yet to approve this\r\ntransaction. In addition, Australia will build a fleet of eight nuclear submarines. The first of these is\r\nexpected to be ready in 2042.\r\nThis partnership has upset both France and China. Australia will terminate the contract awarded to France\r\nto build 12 diesel-electric submarines. The importance of these submarines is reflected in their capabilities:\r\ncompared to traditional submarines, they have a longer range, are harder to detect, can remain submerged\r\nfor months and have a greater carrying capacity. However, they are larger, which is why nuclear\r\nsubmarines are more vulnerable to attack from the surface.\r\nLast year, China called the deal “destabilising” and “provocative”. Mao Ning, spokesperson for China’s\r\nForeign Ministry, said at a press conference on 9th March that Australia is contributing to the proliferation\r\nof nuclear weapons, is promoting an arms race and that this agreement only destabilises the Asia-Pacific\r\nregion. In addition, China issued the following threat: “Australian troops are also more likely to be the first\r\ngroup of Western soldiers to waste their lives in the South China Sea”.\r\nThe Lab52 team has already detected the possibility that actors associated with China, especially Mustang Panda,\r\ncould carry out attacks against the Australian government, notifying its clients.\r\nLab52 has found a zip file named Biography of Senator the Hon Don Farrell.zip. Hon Don Farrell is the current\r\nAustralian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.\r\nhttps://lab52.io/blog/new-mustang-pandas-campaing-against-australia/\r\nPage 1 of 3\n\nIllustration 1 Senator Hon Don Farrell’s profile\r\nThe zip drops two files. On the one hand, the legitimate application for process pdf files  Solid PDF Creator,\r\nrenamed as “Biography of Senator the Hon Don Farrell/Biography of Senator the Hon Don Farrell.exe”, on the\r\nother hand, we have seen a malicious payload named SolidPDFCreator.dll. Persistence is done through a Dll Side\r\nLoading by the stager.\r\nIllustration 2 Stage activity\r\nC:\\Windows\\SysWOW64\\cmd.exe /C copy SolidPDFCreator.dll\r\nC:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.dll \u0026 reg add\r\n“HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” /v SolidPDF /t reg_sz /d\r\n“C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.exe” /F \u0026 schtasks /F /Create /TN SolidPDF /SC\r\nminute /MO 1 /TR C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.exe\r\nAfter that, the stager tries to impersonate common Microsoft update communications, hardconding a legitimate\r\nhost header www.asia.microsoft.com, which, in fact, is requesting against 123.253.35[.]231 as C2.\r\nhttps://lab52.io/blog/new-mustang-pandas-campaing-against-australia/\r\nPage 2 of 3\n\nIllustration 3 Stage request\r\nIt is worth noting that it does not download the PlugX malware in the first instance, as usual, but, similar to what\r\nhas been reported previously by Talos Intelligence [1] or Cisco [2], it uses a custom-developed stager,\r\nsubsequently providing the attacker with a reverse shell for a PlugX deployment.\r\nAs can be seen, China has developed cyber capabilities that allow it to respond quickly to any geopolitical event\r\nthat might affect its interests. The AUKUS treaty has been a regional destabilisation for China, and more\r\ncampaigns are expected to continue to target Australia. Lab52 highlights how tracking and monitoring events in\r\ninternational relations allows us to understand the motivations of key actor-states.\r\nIOC\r\n123.253.35[.]231\r\n4fbfbf1cd2efaef1906f0bd2195281b77619b9948e829b4d53bf1f198ba81dc5\r\ne2acbc36c2cce4050e34033c12f766fea58b4196d84cf40e979fac8fed24c942\r\n3c4671b4a0c3e7da186bd356e07cf0daca7267addde668044b1ded42c6dbe09b\r\n5dde3bca0e5319c62d547bd0c37e621f2050598a347447bde832a9fc37efd97d\r\n167a842b97d0434f20e0cd6cf73d07079255a743d26606b94fc785a0f3c6736e\r\n41276827827b95c9b5a9fbd198b7cff2aef6f90f2b2b3ea84fadb69c55efa171\r\nf8e6b2e537325d6775d35755c8fe19ef89b27e1a7aba183490fbcbf2d52c15f4\r\nReferences\r\n[1] – https://blog.talosintelligence.com/mustang-panda-targets-europe/\r\n[2] – https://gblogs.cisco.com/jp/2022/05/talos-mustang-panda-targets-europe/\r\nSource: https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/\r\nhttps://lab52.io/blog/new-mustang-pandas-campaing-against-australia/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/" ], "report_names": [ "new-mustang-pandas-campaing-against-australia" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434084, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e7325eb01e03f4900ec94cf132dc300a5564542.pdf", "text": "https://archive.orkl.eu/3e7325eb01e03f4900ec94cf132dc300a5564542.txt", "img": "https://archive.orkl.eu/3e7325eb01e03f4900ec94cf132dc300a5564542.jpg" } }