{ "id": "6a0eda76-d17c-47de-ae9a-cfe1bb8efe54", "created_at": "2026-04-06T00:07:18.94575Z", "updated_at": "2026-04-10T03:36:33.968044Z", "deleted_at": null, "sha1_hash": "4fe1fba6dd341f818d60fe1c507cd6a5cb6cc200", "title": "Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3581730, "plain_text": "Mustang Panda APT Group Uses European Commission-Themed\r\nLure to Deliver PlugX Malware\r\nArchived: 2026-04-05 14:34:52 UTC\r\nEXECUTIVE SUMMARY\r\nSince at least 2019, the Mustang Panda threat actor group has targeted government and public sector\r\norganizations across Asia and Europe [3] with long-term cyberespionage campaigns in line with strategic\r\ninterests of the Chinese government.\r\nIn November 2022, Mustang Panda shifted from using archive files to using malicious optical disc image\r\n(ISO) files containing a shortcut (LNK) file to deliver the modified version of PlugX malware. This switch\r\nincreases the evasion against anti-malware solutions [2].\r\nThe Mustang Panda APT group loads the PlugX malware in the memory of legitimate software by\r\nemploying a four-stage infection chain which leverages malicious shortcut (LNK) files, triggering\r\nexecution via dynamic-link library (DLL) search-order-hijacking.\r\nPLUGX MALWARE EXECUTION FLOW\r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 1 of 13\n\nFigure 1 – Execution flow of PlugX malware.\r\nFirst Stage: PlugX Malware Delivered by ISO Image\r\nIn the first stage of the infection chain, EclecticIQ researchers assess that the malware was almost certainly\r\ndelivered by a malicious email with an ISO image attachment. The ISO image contains a shortcut (LNK) file, but\r\nit decoyed as a DOC file called “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc”.  \r\nThe malicious LNK file contains a command line argument that can be executed by user execution to start the\r\nPlugX malware execution chain.\r\nThe command line argument of “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc” is\r\nshown below:  \r\nC:\\Windows\\System32\\cmd.exe /q /c \"System Volume Information\\  \\test2022.ucp\" \r\nThe test2022.ucp portion of the command line argument is a renamed legitimate software which is originally\r\ncalled LMIGuardianSvc.exe. This executable is abused to perform DLL hijacking and to load the initial PlugX\r\nloader called LMIGuardianDll.dll. The legitimate and malicious executables are placed on the same file path\r\n(System Volume Information) to perform DLL Hijacking.\r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 2 of 13\n\nFigure 2 – Command line argument of malicious shortcut (LNK) file.\r\nFigure 3 -PlugX malware loader execution file path. \r\nSecond Stage: DLL Hijacking Execution Chain to Load PlugX Malware\r\nWhen a victim clicks on the shortcut file, it executes the command line argument mentioned in first stage, which\r\nis a technique called DLL hijacking (after the execution of LMIGuardianSvc.exe, it loads LMIGuardianDll.dll aka\r\nPlugX loader automatically). Upon execution of the PlugX loader a Microsoft Office Word document opens. The\r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 3 of 13\n\ndocument is named “draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.docx”. This is a\r\ndecoy document to trick the user into thinking there is no malicious activity.  \r\nOne example of the Word document can be seen in the image below:\r\nFigure 4 – A decoy Word document is used for social engineering. The victim sees a real Word document open\r\nafter clicking on a shortcut (LNK) file that has a Word document icon.\r\nThe process tree below shows the execution of the legitimate application LMIGuardianSvc.exe, which is executed\r\ntwice under a new directory (\\AppData\\Roaming\\SamsungDriver) created by the malware and used for persistence\r\naccess on infected device.  \r\nFigure 5 – Captured process tree during the execution of malicious shortcut (LNK) file which masquerades as a\r\nword document.\r\nEncrypted shellcode named LMIGuardianDat.dat contains PlugX malware:  \r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 4 of 13\n\nFigure 6 - Encrypted PlugX shellcode in Hex editor.\r\nThe PlugX Malware loader decrypts and loads the encrypted shellcode (LMIGuardianDat.dat) inside the\r\nLMIGuardianSvc.exe. Injected memory space can be extracted to perform further analysis of decrypted PlugX\r\nMalware.\r\nFigure 7 – Memory map of LMIGuardianSvc.exe.\r\nLMIGuardianDLL.dll (PlugX Loader) decrypts the LMIGuardianDAT.dat and loads it in memory of the legitimate\r\nprocess.\r\nFigure 8 – Decompiled PlugX loader contains decryption function.\r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 5 of 13\n\nDuring static analysis, EclecticIQ analysts identified that the PlugX malware loader used a simple XOR algorithm\r\nto decrypt the LMIGuardianDAT.dat (XOR encrypted PlugX shellcode) to avoid signature-based detection from\r\nantimalware solutions.\r\nFigure 9 – XOR key is stored statically to perform decryption during execution time of PlugX loader.\r\nPlugX loader used a static XOR key “0x47F”, to decrypt the PlugX shellcode. The below image shows a Python\r\nscript being used to decrypt the LMIGuardianDAT.dat.\r\nFigure 10 – Decrypted PlugX shellcode.\r\nOnce the PlugX malware has been executed in-memory, the C2 config is decrypted. The C2 IP address\r\n217[.]12[.]206[.]116 and the campaign ID of “test2022” are seen in the figures below:\r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 6 of 13\n\nFigure 11 – Decompiled PlugX malware contains campaign ID as a fingerprint of the attack to categorize the\r\nvictims.\r\nFigure 12 - Decompiled PlugX malware contains command and control (C2) IP address as static.\r\nThird Stage: Registry Run Key Persistence\r\nMustang Panda abuses Windows registry run keys to gain persistence on the infected system. On Windows\r\noperating systems the run registry keys execute the specified program when a user logs on to the device.  \r\nThe PlugX malware created a new run key called as LMIGuardian Update, shown in the image below.\r\nFigure 13 – Persistence established by malware after writing a new Run key.\r\nEvery logon will cause the Windows registry run key to execute the LMIGuardianSvc.exe, triggering the DLL\r\nHijacking that leads to PlugX malware execution.  \r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 7 of 13\n\nFigure 14 – Written registry key.\r\nThe malware creates a new file path which is being used by the persistence mechanism (Run key) to execute the\r\nLMIGuardianSvc.exe on this specific file path:\r\nFigure 15 – New file path created for persistence execution of PlugX malware. \r\nFourth Stage: Command and Control Connection\r\nAfter a successful execution of PlugX malware, it connects to a remote C2 server which is used to send\r\ncommands to compromised systems via the PlugX malware and to receive exfiltrated data from a target network.  \r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 8 of 13\n\nFigure 16 – Request headers and server response observed in Mustang Panda’s customized PlugX variant.\r\nOnce the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n‘Sec-Dest’ and ‘Sec-Site’ HTTP sections contain encrypted data of victim machine information sent to attackers.\r\nFigure 17 - Network capture during the TCP request to remote C2 server over port 443.\r\nThe C2 IP address 217[.]12[.]206[.]116 was seen hosting another service on port 8088 with a unique SSL\r\ncertificate that is itself issued to the IP address 45[.]134[.]83[.]29, which is identified as additional Mustang\r\nPanda’s infrastructure, according to the BlackBerry Research \u0026 Intelligence Team [1].\r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 9 of 13\n\nFigure 18 – Issued SSL certificate contains another IP address, which was used by Mustang Panda APT group for\r\nprevious attacks. [1]\r\nConclusion\r\nEclecticIQ analysts assess it is almost certain the APT group Musta Panda was responsible for this attack.\r\nMustang Panda has leveraged PlugX malware in previous campaigns targeting the Ukraine and has used similar\r\nTTPs like DLL hijacking. The group previously used Windows shortcut (LNK) files disguised using double\r\nextensions (such as .doc.lnk) with a Microsoft Word icon and has abused registry run keys for persistence. The\r\nSSL certificated used in this attack overlaps with previous Mustang Panda activity targeting the Ukraine.\r\nFigure 19 – Example of LNK Phishing lure used by Mustang Panda APT group in their previous attacks. [2]\r\nEclecticIQ analysts assess it is probable the target for this lure document was a European entity. The phishing lure\r\nused in the campaign discusses the effect EU sanctions against Russia will have on the European Union. Mustang\r\nPanda has targeted European organizations before in a similar campaign in 2022-10-26 [Figure 19]. Mustang\r\nPanda APT group continues to be a highly active threat group conducting cyber operations targeting organizations\r\nacross Europe [2]. EclecticIQ analysts have identified Mustang Panda operators adding new evasion techniques,\r\nlike using a custom malware loader to execute an encrypted PlugX sample for the purpose of increasing infection\r\nrates and staying under the radar while performing cyber espionage activates against victims.  \r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 10 of 13\n\nEclecticIQ analysts assess that it is probable Mustang Panda will increase their activity and continue to use similar\r\nTTPs in response to geopolitical developments in Ukraine and Europe, based on an examination of the group’s\r\nprevious cyberespionage activity.  Analysts should continue to track Mustang Panda using the TTPs and\r\ninfrastructure highlighted in the report and the YARA rules provided below.  \r\nMitigations  \r\nImplement basic incident response and detection deployments and controls like network IDS, netflow\r\ncollection, host-logging, and web proxy, alongside human monitoring of detection sources.\r\nEmploy host-based controls.\r\nFilter email correspondence and monitor for malicious attachments.\r\nIdentify critical data and implement additional network segmentation and special protections for sensitive\r\ninformation, such as multifactor authentication, highly restricted access, and storage systems only\r\naccessible via an internal network.\r\nCreate alerts for disk image file types, such as ISO, and shortcut files, which have been increasingly abused\r\nby different threat actors. Furthermore, organizations should consider disabling auto-mounting of ISO or\r\nVHD files.\r\nConfigure intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence\r\nmechanisms in place to alert on and upon review, consider blocking connection attempts from\r\nunrecognized external IP addresses and domains. \r\nMITRE ATT\u0026CK\r\nTactic: Technique  ATT\u0026CK Code \r\nExecution: User Execution Malicious File  T1204 \r\nDefense Evasion: Hijack Execution Flow DLL Search Order Hijacking  T1574.001 \r\nDefense Evasion: Deobfuscate/Decode Files or Information  T1140 \r\nDefense Evasion: Masquerading Double File Extension  T1036.007 \r\nCommand-and-Control: Encrypted Channel Symmetric Cryptography  T1573.001 \r\nCommand-and-Control: Data Encoding Standard Encoding  T1132.001 \r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 11 of 13\n\nPersistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder  T1547.001 \r\nINDICATORS OF COMPROMISE\r\nSample File Name(s)  SHA-256 Hash \r\nLMIGuardianDll.dll  ee2c8909089f53aafc421d9853c01856b0a9015eba12aa0382e98417d28aef3f \r\nLMIGuardianDat.dat  8c4926dd32204b6a666b274a78ccfb16fe84bbd7d6bc218a5310970c4c5d9450 \r\ndraft letter to European\r\nCommission RUSSIAN OIL\r\nPRICE CAP sg de.iso \r\n723d804cfc334cad788f86c39c7fb58b42f452a72191f7f39400cf05d980b4f3 \r\ndraft letter to European\r\nCommission RUSSIAN OIL\r\nPRICE CAP sg de.doc.lnk \r\n2c0273394cda1b07680913edd70d3438a098bb4468f16eebf2f50d060cdf4e96 \r\nLMIGuardianSvc.exe\r\nrenamed (test2022.ucp) \r\n26c855264896db95ed46e502f2d318e5f2ad25b59bdc47bd7ffe92646102ae0d \r\nCommand and Control Servers \r\n217[.]12[.]206[.]116  \r\n45[.]134[.]83[.]29  \r\nHunting Resources: Live Queries \u0026 Yara Rules\r\nAbout EclecticIQ Intelligence \u0026 Research Team\r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 12 of 13\n\nEclecticIQ is a global provider of threat intelligence, hunting, and response technology and services.\r\nHeadquartered in Amsterdam, the EclecticIQ Intelligence \u0026 Research Team is made up of experts from Europe\r\nand the U.S. with decades of experience in cyber security and intelligence in industry and government.\r\nWe would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.\r\nYou might also be interested in:\r\nQakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature\r\nChatGPT Makes Waves Inside and Outside of the Tech Industry\r\nThe Godfather Banking Trojan Expands Application Targeting to Affect More Europe-Based Victims\r\nAppendix\r\n1. https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets\r\n2. https://www.recordedfuture.com/reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant\r\n3. https://twitter.com/ESETresearch/status/1400165767488970764   \r\nSource: https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nhttps://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware" ], "report_names": [ "mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware" ], "threat_actors": [ { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434038, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fe1fba6dd341f818d60fe1c507cd6a5cb6cc200.pdf", "text": "https://archive.orkl.eu/4fe1fba6dd341f818d60fe1c507cd6a5cb6cc200.txt", "img": "https://archive.orkl.eu/4fe1fba6dd341f818d60fe1c507cd6a5cb6cc200.jpg" } }