{
	"id": "47cf00bb-d5f2-4c62-9909-d12fc214b46a",
	"created_at": "2026-04-06T00:16:30.858834Z",
	"updated_at": "2026-04-10T13:11:19.305245Z",
	"deleted_at": null,
	"sha1_hash": "7bfe65ba003636a177953a29a307265d58434db7",
	"title": "New Mustang Panda hacking campaign targets diplomats, ISPs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1177843,
	"plain_text": "New Mustang Panda hacking campaign targets diplomats, ISPs\r\nBy Bill Toulas\r\nPublished: 2022-03-23 · Archived: 2026-04-02 12:24:21 UTC\r\nSecurity analysts have uncovered a malicious campaign from China-linked threat actor Mustang Panda, which has been\r\nrunning for at least eight months with a new variant of the Korplug malware called Hodur and custom loaders.\r\nAlso tracked as TA416, Mustang Panda is known to serve China-aligned interests and has been recently associated with\r\nphishing and espionage operations that targeted European diplomats.\r\nKorplug is a custom malware used extensively but not exclusively by this particular threat actor, first exposed in a 2020\r\nreport that examined the activity of Chinese hackers against Australian targets.\r\nhttps://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/\r\nPage 1 of 6\n\nhttps://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nIn the latest known campaign, analyzed by cybersecurity company ESET, Mustang Panda focuses on European diplomats,\r\nISPs (Internet Service Providers), and research institutes, using phishing lures with decoy documents.\r\nSince August 2021, when this campaign is believed to have started, the hackers refreshed their lures several times, the latest\r\nones being topics related to Russia’s invasion of Ukraine, COVID-19 travel restrictions, or documents copied from the\r\nEuropean Union Council’s website.\r\nThe targeted countries in this campaign are Russia, Greece, Cyprus, South Africa, Vietnam, Mongolia, Myanmar, and South\r\nSudan.\r\nMustang Panda targets heatmap (ESET)\r\nSame targets, new tools\r\nThe targeting scope of Mustang Panda has remained largely unchanged in the past couple of years, so the threat group is\r\nmainly occupied with refreshing its lures and improving its toolset.\r\nESET reports having sampled elaborate custom loaders and new Korplug (Hodur) variants that still use DLL side-loading\r\nbut now feature much heavier obfuscation and anti-analysis systems present across the entire infection chain.\r\nThe malicious module and the encrypted Korplug payload are downloaded along with the decoy document and a legitimate\r\nexecutable, combining their execution for DLL side-loading to evade detection.\r\nhttps://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/\r\nPage 3 of 6\n\nKorplug's loading chain (ESET)\r\nThe custom DLL loader leverages the digitally-signed legitimate executable, in this case, a SmadAV file, and exploits a\r\nknown vulnerability for side-loading.\r\nThe multiple functions exported by the loader are bogus, except for one, which is the function that loads the new Korplug\r\nvariant.\r\nA new backdoor version\r\nKorplug is a remote access trojan (RAT) whose functionality hasn’t been thoroughly analyzed thus far, potentially because\r\nthere are so many variants created by each APT using it.\r\nThe one used by Mustang Panda in this campaign is very similar to THOR, a PlugX variant discovered by Unit 42\r\nresearchers last year.\r\nKorplug payloads are decrypted in memory, while only an encrypted form is ever written to the disk. Additionally, all strings\r\nare encrypted and Windows API function calls are obfuscated, while anti-execution measures also exist.\r\nhttps://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/\r\nPage 4 of 6\n\nWindows API call obfuscation (ESET)\r\nPersistence is achieved by adding a new registry entry to “Software\\Microsoft\\Windows\\CurrentVersion\\Run”, while the\r\nnewly created directories that host the malware components are marked as “hidden” and “system.”\r\nThe additions of this new version are spotted on the RAT aspect of Korplug, where its authors have added more commands\r\nand features.\r\nThe commands supported by the first handler of the particular Korplug variant are the following:\r\nPing – start listening for commands\r\nGetSystemInfo – gather and send system information\r\nListenThread – start a new threat that listens for commands for the second handler\r\nResetConnection – reset connection to C2\r\nUninstall – delete added registry keys, remove all malware components and delete the created folders\r\nStop – disable registry key and exit\r\nThe second handler listens to a different set of commands that concern the RAT’s functionality and are thus more advanced\r\nthan the first set, which is used for basic reconnaissance.\r\nThe list of this second group is extensive, but some indicative examples are commands to list drives and directories, read\r\nand write files, execute commands on a hidden desktop, and start an interactive remote cmd.exe session.\r\nESET believes Mustang Panda will continue to improve its toolset, making it more potent and stealthy, while special\r\nattention has to be paid to phishing emails that appear very realistic.\r\nBeing a Chinese actor that has shown signs of serving higher political espionage interests, its targeting scope should remain\r\nrelatively stable.\r\nhttps://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/\r\nhttps://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/"
	],
	"report_names": [
		"new-mustang-panda-hacking-campaign-targets-diplomats-isps"
	],
	"threat_actors": [
		{
			"id": "b69037ec-2605-4de4-bb32-a20d780a8406",
			"created_at": "2023-01-06T13:46:38.790766Z",
			"updated_at": "2026-04-10T02:00:03.101635Z",
			"deleted_at": null,
			"main_name": "MUSTANG PANDA",
			"aliases": [
				"Stately Taurus",
				"LuminousMoth",
				"TANTALUM",
				"Twill Typhoon",
				"TEMP.HEX",
				"Earth Preta",
				"Polaris",
				"BRONZE PRESIDENT",
				"HoneyMyte",
				"Red Lich",
				"TA416"
			],
			"source_name": "MISPGALAXY:MUSTANG PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6daadf00-952c-408a-89be-aa490d891743",
			"created_at": "2025-08-07T02:03:24.654882Z",
			"updated_at": "2026-04-10T02:00:03.645565Z",
			"deleted_at": null,
			"main_name": "BRONZE PRESIDENT",
			"aliases": [
				"Earth Preta ",
				"HoneyMyte ",
				"Mustang Panda ",
				"Red Delta ",
				"Red Lich ",
				"Stately Taurus ",
				"TA416 ",
				"Temp.Hex ",
				"Twill Typhoon "
			],
			"source_name": "Secureworks:BRONZE PRESIDENT",
			"tools": [
				"BlueShell",
				"China Chopper",
				"Claimloader",
				"Cobalt Strike",
				"HIUPAN",
				"ORat",
				"PTSOCKET",
				"PUBLOAD",
				"PlugX",
				"RCSession",
				"TONESHELL",
				"TinyNote"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6",
			"created_at": "2022-10-25T16:07:24.114365Z",
			"updated_at": "2026-04-10T02:00:04.869887Z",
			"deleted_at": null,
			"main_name": "RedDelta",
			"aliases": [
				"Operation Dianxun",
				"TA416"
			],
			"source_name": "ETDA:RedDelta",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"Chymine",
				"Cobalt Strike",
				"CobaltStrike",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav",
				"cobeacon",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9baa7519-772a-4862-b412-6f0463691b89",
			"created_at": "2022-10-25T15:50:23.354429Z",
			"updated_at": "2026-04-10T02:00:05.310361Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Mustang Panda",
				"TA416",
				"RedDelta",
				"BRONZE PRESIDENT",
				"STATELY TAURUS",
				"FIREANT",
				"CAMARO DRAGON",
				"EARTH PRETA",
				"HIVE0154",
				"TWILL TYPHOON",
				"TANTALUM",
				"LUMINOUS MOTH",
				"UNC6384",
				"TEMP.Hex",
				"Red Lich"
			],
			"source_name": "MITRE:Mustang Panda",
			"tools": [
				"CANONSTAGER",
				"STATICPLUGIN",
				"ShadowPad",
				"TONESHELL",
				"Cobalt Strike",
				"HIUPAN",
				"Impacket",
				"SplatCloak",
				"PAKLOG",
				"Wevtutil",
				"AdFind",
				"CLAIMLOADER",
				"Mimikatz",
				"PUBLOAD",
				"StarProxy",
				"CorKLOG",
				"RCSession",
				"NBTscan",
				"PoisonIvy",
				"SplatDropper",
				"China Chopper",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ee03999-5432-4a65-a850-c543b4fefc3d",
			"created_at": "2022-10-25T16:07:23.882813Z",
			"updated_at": "2026-04-10T02:00:04.776949Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Bronze President",
				"Camaro Dragon",
				"Earth Preta",
				"G0129",
				"Hive0154",
				"HoneyMyte",
				"Mustang Panda",
				"Operation SMUGX",
				"Operation SmugX",
				"PKPLUG",
				"Red Lich",
				"Stately Taurus",
				"TEMP.Hex",
				"Twill Typhoon"
			],
			"source_name": "ETDA:Mustang Panda",
			"tools": [
				"9002 RAT",
				"AdFind",
				"Agent.dhwf",
				"Agentemis",
				"CHINACHOPPER",
				"China Chopper",
				"Chymine",
				"ClaimLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DCSync",
				"DOPLUGS",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Farseer",
				"Gen:Trojan.Heur.PT",
				"HOMEUNIX",
				"Hdump",
				"HenBox",
				"HidraQ",
				"Hodur",
				"Homux",
				"HopperTick",
				"Hydraq",
				"Impacket",
				"Kaba",
				"Korplug",
				"LadonGo",
				"MQsTTang",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"NBTscan",
				"NetSess",
				"Netview",
				"Orat",
				"POISONPLUG.SHADOW",
				"PUBLOAD",
				"PVE Find AD Users",
				"PlugX",
				"Poison Ivy",
				"PowerView",
				"QMAGENT",
				"RCSession",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TONEINS",
				"TONESHELL",
				"TVT",
				"TeamViewer",
				"Thoper",
				"TinyNote",
				"WispRider",
				"WmiExec",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"cobeacon",
				"nbtscan",
				"nmap",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434590,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7bfe65ba003636a177953a29a307265d58434db7.pdf",
		"text": "https://archive.orkl.eu/7bfe65ba003636a177953a29a307265d58434db7.txt",
		"img": "https://archive.orkl.eu/7bfe65ba003636a177953a29a307265d58434db7.jpg"
	}
}