{ "id": "bf3704bb-b211-45dd-a601-4de337863543", "created_at": "2026-04-06T00:19:09.780059Z", "updated_at": "2026-04-10T13:12:17.849575Z", "deleted_at": null, "sha1_hash": "8b01245c7a479255740ad7cc6ae6407ea2691d0c", "title": "Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 729073, "plain_text": "Cyberespionage Attacks Against Southeast Asian Government\r\nLinked to Stately Taurus, Aka Mustang Panda\r\nBy Lior Rochberger, Tom Fakterman, Robert Falcone\r\nPublished: 2023-09-22 · Archived: 2026-04-05 21:30:39 UTC\r\nExecutive Summary\r\nAn advanced persistent threat (APT) group suspected with moderate-high confidence to be Stately Taurus engaged\r\nin a number of cyberespionage intrusions targeting a government in Southeast Asia. The intrusions took place\r\nfrom at least the second quarter of 2021 to the third quarter of 2023. Based on our observations and analysis, the\r\nattackers gathered and exfiltrated sensitive documents and other types of files from compromised networks.\r\nWe found this activity as part of an investigation into compromised environments within a Southeast Asian\r\ngovernment. We identified this cluster of activity as CL-STA-0044.\r\nOur analysis of this cluster of activity revealed attempts to establish a robust and enduring foothold within\r\ncompromised networks and steal sensitive information related to individuals of interest working for the\r\ngovernment.\r\nWith moderate-high confidence, we conclude that this activity is linked to the Chinese cyberespionage group\r\nStately Taurus. This group is also known by several aliases, including Mustang Panda, BRONZE PRESIDENT,\r\nTA416, RedDelta and Earth Preta. Over the years, Unit 42 has observed the group gathering information on\r\ntargets in and around the Southeast Asia region.\r\nThis attribution is underpinned by the utilization of distinctive, rare tools such as the ToneShell backdoor that have\r\nnot been publicly documented in association with any other known threat actor.\r\nOur description of this cluster of activity provides deep technical insights into the tools and approaches used by\r\nthe APT. It also includes a timeline of activity that can help defenders obtain crucial information, which you can\r\nuse to hunt for nation-state advanced persistent threats.\r\nPalo Alto Networks customers receive protections against the threats discussed in this article through Advanced\r\nWildFire, Advanced URL Filtering, DNS Security, Cortex XDR and Cortex XSIAM, as detailed in the conclusion.\r\nOrganizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.\r\nRelated Unit 42 Topics Government, APTs\r\nStately Taurus akas Mustang Panda, BRONZE PRESIDENT, TA416, RedDelta and Earth Preta\r\nCL-STA-0044 Details\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 1 of 13\n\nReconnaissance\r\nTo better understand the breached networks, the threat actor behind CL-STA-0044 scanned infected environments\r\nto find live hosts and open ports, as well as existing domain users and domain groups.\r\nWe observed the adversary using several different tools to reach these goals:\r\nLadonGo: LadonGo is an open-source scanning framework that Chinese-speaking developers created. The\r\nthreat actor used LadonGo to scan for live hosts and open ports using commands like smbscan, pingscan\r\nand sshscan.\r\nNBTScan: NBTScan is a program for scanning IP networks for NetBIOS name information.\r\nAdFind: AdFind is a command-line query tool that can gather information from Active Directory. The\r\nthreat actor renamed the tool a.logs.As shown in Figure 2, the threat actor saved the results of AdFind to\r\nthe following filenames:\r\nDomain_users_light.txt\r\nDomain_computers_light.txt\r\nDomain_groups_light.txt\r\nThese filenames have only been mentioned in a GitHub page about “Penetration Testing Methodology\r\nReferences.”\r\nFigure 2. Prevention of AdFind attempts to dump domain users’ details.\r\nImpacket: The Impacket collection includes many tools with functions related to remote execution,\r\nKerberos attacks, credential dumping and more. Figure 3 illustrates these commands. The threat actor used\r\nImpacket to gather information about the network, discover machines and users, and query directories on\r\nremote machines for interesting files to exfiltrate.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 2 of 13\n\nFigure 3. Reconnaissance commands run via Impacket.\r\nCredential Stealing\r\nUnit 42 researchers observed the threat actor behind the CL-STA-0044 activity attempting to use several\r\ntechniques for credential stealing to dump passwords from different hosts and the Active Directory:\r\nHdump: The threat actor deployed and used Hdump.exe (renamed h64.exe), which is a credential stealing\r\nutility that researchers have observed Chinese threat actors using. Threat actors used Hdump to dump\r\ncredentials from memory using the -a (dump all) flag.\r\nFigure 4 shows the help menu of Hdump:\r\nFigure 4. Hdump help menu.\r\nMimiKatz: The threat actor attempted to dump the memory of lssas.exe several times, using the credential\r\nharvesting tool MimiKatz (named l.doc) to extract users’ credentials.\r\nDCSync: The threat actor attempted to use MimiKatz’s DCSync feature, which enables attackers to\r\nsimulate a domain controller (DC), in the victim’s network to retrieve user credentials from the legitimate\r\nDC. They then saved the collected information to a file named log.txt.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 3 of 13\n\nFigure 5. DCSync command.\r\nStealing the Ntds.dit File: To steal Active Directory data, the threat actor used the Vssadmin tool to create\r\na volume shadow copy of the C:\\ drive on the DC. They then retrieved the Ntds.dit file from the shadow\r\ncopy, as shown in Figure 6.\r\nThe Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups,\r\ngroup membership and (most importantly) password hashes.\r\nThe threat actor also stole the SYSTEM file containing the boot key. This key is necessary to decrypt the Ntds.dit\r\nfile.\r\nFigure 6. Stealing the Ntds.dit file.\r\nAbusing Existing Antivirus Software\r\nWe observed the threat actor behind the CL-STA-0044 activity abusing existing antivirus software in\r\ncompromised environments. We spotted threat actors abusing ESET’s Remote Administrator Agent to execute\r\ncommands on remote hosts and to install backdoors.\r\nThey used the process ERAAgent.exe to execute BAT files with a naming pattern of C:\\Windows\\Temp\\ra-run-command-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.bat (where xxx is replaced with random numbers and\r\ncharacters).\r\nThese .bat files executed reconnaissance commands and wrote additional backdoors to the disk, as shown in\r\nFigure 7. The files appear to be responsible for executing commands initiated by ESET’s Run Command task.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 4 of 13\n\nFigure 7. Blocked suspicious behavior performed by ERAAgent.exe.\r\nMaintaining Access: Web Shells and Backdoors\r\nDuring this campaign, the threat actor behind CL-STA-0044 used several methods to maintain a foothold in\r\ncompromised environments. These methods include using multiple backdoors and web shells.\r\nToneShell Undocumented Variant\r\nOne of the popular backdoors the threat actor behind CL-STA-0044 used in this campaign is an undocumented\r\nvariant of a piece of malware dubbed ToneShell. Trend Micro reported that Stately Taurus has used this malware.\r\nUnlike the previously reported version of ToneShell, which uses shellcode as the payload of the malware, the new\r\nvariant’s full functionality is built from three DLL components working in tandem.\r\nEach DLL component has a different purpose:\r\nPersistence component: in charge of persistence for the backdoor and dropping the other components to\r\ndisk.\r\nNetworking component: in charge of command and control (C2) communication.\r\nFunctionality component: in charge of executing the different commands of the backdoor.\r\nFurthermore, each component of ToneShell is loaded into a different legitimate process via DLL sideloading.\r\nInternal communication between the components is done via the use of pipes.\r\nComparing the undocumented variant with the previously reported shellcode variant as shown in Figure 8, there is\r\na clear indication of overlap in the codebase and functionality, as well as in the strings. These strings are saved as\r\nstack strings in the shellcode variant.\r\nFigure 8. ToneShell strings overlap.\r\nThe Persistence Component\r\nThe persistence component (nw.dll, nw_elf.dll) is sideloaded into PwmTower.exe, a component of Trend Micro’s\r\nPassword Manager, which is a known security tool.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 5 of 13\n\nThe persistence component will create a different type of persistence depending on the process’ privileges. If it has\r\nsufficient rights, the persistence component will create two types of persistence:\r\nService named DISMsrv (Dism Images Servicing Utility Service)\r\nScheduled task named TabletPCInputServices or TabletInputServices\r\nIf it does not have sufficient rights, the persistence component will create another two types of persistence:\r\nRegistry run key named TabletPCInputServices or TabletInputServices\r\nScheduled task named TabletPCInputServices or TabletInputServices\r\nOnce the persistence component is executed as a service, it drops the other components to disk and executes the\r\nnetworking component.\r\nThe Networking Component\r\nThe networking component (rw32core.dll) is sideloaded into Brcc32.exe, the resource compiler of Embarcadero,\r\nan app development tool.\r\nThe networking component uses the domain www.uvfr4ep[.]com for C2 communication. Then, through the use of\r\npipes, it communicates with the functionality component to execute commands from the C2.\r\nThe Functionality Component\r\nThe functionality component (secur32.dll) is sideloaded to Consent.exe, which is a Windows binary that the file\r\nmetadata identifies as “Consent UI for administrative applications.”\r\nFunctionality component capabilities include the following:\r\nExecuting commands\r\nFile system interaction\r\nDownloading and uploading files\r\nKeylogging\r\nScreen capturing\r\nFigure 9 illustrates the process tree for the ToneShell backdoor.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 6 of 13\n\nFigure 9. ToneShell process tree.\r\nWeb Shells\r\nIn addition to maintaining access to victim environments via various backdoors, in some instances, the threat actor\r\nalso maintained their access via China Chopper web shells. In one instance, one of the backdoors appeared to\r\nmalfunction and crash on an infected host. To overcome that, the threat actor used their web shell access to\r\ntroubleshoot the malfunctioning backdoors.\r\nCobalt Strike\r\nOn top of using their web shell access, the threat actor also delivered a Cobalt Strike agent to the infected host that\r\nhad malfunctioning backdoors. They deployed the Cobalt Strike agent under the name libcurl.dll.\r\nThe threat actor used DLL sideloading to abuse the legitimate process GUP.exe, which is a component of\r\nNotepad++, to execute the malicious agent.\r\nAfter deployment, the threat actor deleted the Cobalt Strike agent fairly quickly. This could imply that they only\r\ndeployed the agent to gain additional functionality momentarily, to allow them to troubleshoot the malfunctioning\r\nbackdoors.\r\nShadowPad\r\nOn several occasions, the threat actor behind CL-STA-0044 deployed the ShadowPad backdoor. ShadowPad is a\r\nmodular malware that has been in use by multiple Chinese threat actors since at least 2015. ShadowPad is\r\nconsidered to be the successor of PlugX, another example of modular malware popular with Chinese threat actors.\r\nThe threat actor abused DLL sideloading to load the ShadowPad module (log.dll) into a legitimate executable\r\n(BDReinit.exe), which is a component of Bitdefender Crash Handler (renamed as net.exe) security tool. When\r\nlog.dll is loaded into memory, it searches for a file named log.dll.dat that is saved in the same directory to decrypt\r\nshellcode and execute the payload.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 7 of 13\n\nAs shown in Figure 10, ShadowPad then spawns and injects code into wmplayer.exe, which in turn spawns and\r\ninjects code into dllhost.exe. Researchers from Elastic Security Labs have described this behavior in the past.\r\nShadowPad creates persistence using the service DataCollectionPublisingService (DapSvc) for the renamed\r\nBDReinit.exe (net.exe). Figure 10 illustrates the process tree for ShadowPad.\r\nFigure 10. ShadowPad process tree.\r\nHighly Targeted and Intelligence-Driven Operation\r\nTargeting Specific Individuals\r\nAnalysis of the threat actor’s actions suggests that the threat actor behind CL-STA-0044 has performed\r\nconsiderable intelligence work on their victims. In several instances, Unit 42 researchers observed threat actors\r\nusing the known Lolbin utility wevtutil to gather information about specific usernames belonging to individuals\r\nwho work at the victim organizations.\r\nThe threat actor searched for Windows Security Log Event ID 4624, which is an event that documents successful\r\nlogin attempts. They also searched for Windows Security Log Event ID 4672, which is an event that documents\r\nassignments of sensitive privileges to new login sessions.\r\nThe threat actor used these log events to find out which machines specific users of interest logged in to, to\r\npinpoint hostnames of interest. The threat actor would later compromise these machines and gather sensitive data\r\nfrom them for exfiltration. Figure 11 shows wevtutil used to search for successful login attempts.\r\nFigure 11. Wevtutil used to search for successful login attempts.\r\nExfiltration\r\nThroughout this attack, the threat actor attempted to exfiltrate many documents and other sensitive information\r\nfrom the compromised machines. Before exfiltration, the threat actor used rar.exe to archive the files of interest.\r\nFigure 12 shows that, on some occasions, the threat actor searched for specific file extensions. On other occasions,\r\nthey archived full directories.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 8 of 13\n\nFigure 12. Archiving specific file extensions.\r\nThe threat actor used a variety of tools to initiate their exfiltration. On already compromised hosts, they used the\r\nToneShell backdoor to execute rar.exe. To access other uncompromised hosts, they used tools like Impacket and\r\nRemCom to execute rar.exe remotely. RemCom is a remote shell or telnet replacement that lets you execute\r\nprocesses on remote Windows systems.\r\nOn hosts of interest, the threat actor created persistence for a script that is in charge of archiving files\r\n(autorun.vbs), as shown in Figure 13. To do this, they saved the VBS script in the startup directory, which causes it\r\nto run every time the machine is turned on. This behavior could indicate the threat actor’s goal of getting a\r\ncontinuous flow of intelligence from the victims instead of just being a one and done operation.\r\nFigure 13. Archiving script persistence.\r\nAfter archiving the files, we observed the threat actor using two exfiltration methods. The first method is\r\nuploading the files using curl and ftp to a cloud storage site named ftp.1fichier[.]com.\r\nThe second method observed is uploading the archived files to Dropbox, a file hosting service as shown in Figure\r\n14. This method of exfiltration is popular with threat actors because Dropbox the service is one people often use\r\nlegitimately, making malicious activity harder to detect.\r\nFigure 14. Data exfiltration using Dropbox.\r\nThreat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not\r\nnecessarily imply a flaw or malicious quality to the legitimate product being abused.\r\nAttribution\r\nBased on the analysis of the information available to us, we assess with moderate-high confidence that the activity\r\nobserved as part of CL-STA-0044 is associated with the APT group Stately Taurus. This group is also known as\r\nMustang Panda, BRONZE PRESIDENT, TA416, RedDelta and Earth Preta.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 9 of 13\n\nThe first axis of attribution is the backdoors used in the cluster. The main backdoor used by the threat actor behind\r\nCL-STA-0044 is an undocumented variant of the ToneShell backdoor, a backdoor that Trend Micro previously\r\nreported Stately Taurus has used. ToneShell appears to be a tool unique to the group. At the time of writing this\r\narticle, no other known APT groups have been publicly documented as using the ToneShell backdoor.\r\nIn addition, the threat actor behind CL-STA-0044 deployed the ShadowPad backdoor. ShadowPad is a complex\r\nand modular piece of malware that has been used exclusively by Chinese-sponsored threat actors since at least\r\n2015. Furthermore, the filenames and behavior of ShadowPad observed during this campaign overlap with\r\nbehavior that researchers from Elastic Security Labs have described in the past. This activity resembles the TTPs\r\nof threat actors that are believed to operate on behalf of the Chinese nexus.\r\nThe second axis of attribution is victimology. We observed the activity associated with CL-STA-0044 targeting the\r\ngovernment sector in a country in Southeast Asia. Stately Taurus was previously reported to target the government\r\nsector in that region.\r\nThe combination of unique tools and activities we observed raise strong suspicion that the threat actor behind CL-STA-0044 is likely the Stately Taurus APT group. This includes the ToneShell backdoor commonly used by\r\nStately Taurus, along with the deployment of the Chinese state sponsored and APT-affiliated backdoor\r\nShadowPad, as well as their victimology.\r\nConclusion\r\nThis article describes the activities of CL-STA-0044, one of three clusters that we observed targeting the\r\ngovernment sector in a Southeast Asian country. We associate the activity of the threat actor behind CL-STA-0044\r\nwith Stately Taurus with moderate-high confidence.\r\nDuring the operation, the threat actor slowly took control of the victims' environments, focusing on maintaining\r\ncontrol for a long-term operation. The purpose of the threat actor’s efforts appear to be the continuous gathering\r\nand exfiltration of sensitive documents and intelligence.\r\nWe encourage all organizations to leverage our findings to inform the deployment of protective measures to\r\ndefend against this threat group.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with the\r\nthreats described above:\r\nWildFire cloud-delivered malware analysis service accurately identifies the known samples as malicious.\r\nAdvanced URL Filtering and DNS Security identify known domains associated with this group as\r\nmalicious.\r\nCortex XDR and XSIAM\r\nPrevents the execution of known malicious malware, and also prevents the execution of unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis\r\nmodule.\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 10 of 13\n\nProtects against credential gathering tools and techniques using the new Credential Gathering\r\nProtection available from Cortex XDR 3.4.\r\nProtects from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection, newly released in Cortex XDR 3.4.\r\nProtects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using\r\nthe Anti-Exploitation modules as well as Behavioral Threat Protection.\r\nCortex XDR Pro detects postexploit activity, including credential-based attacks, with behavioral\r\nanalytics.\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nCL-STA-0044\r\nLadonGo\r\n4a8b7cfb2e33aa079ba51166591c7a210ad8b3c7c7f242fccf8cb2e71e8e40d5\r\n12534f7014b3338d8f9f86ff1bbeacf8c80ad03f1d0d19077ff0e406c58b5133\r\n6868f5ce836034557e05c7ddea006a91d6fc59de7e235c9b08787bd6dbd2b837\r\nNBTScan\r\n541bac89b3a414e06b45d778f86b245675922e8b11f866c8b6a827c5d418e598\r\nAdFind\r\n8445aa54adf4d666e65084909a7b989a190ec6eca2844546c2e99a8cfb832fad\r\nImpacket\r\nb000a0095a8fda38227103f253b6d79134b862a83df50315d7d9c5b537fd994b\r\nHdump\r\n64ab1c1b19682026900d060b969ab3c3ab860988733b7e7bf3ba78a4ea0340b9\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 11 of 13\n\nMimiKatz\r\n31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc\r\n2254e3242943c0afe038baeafe8381bbff136e6d8f681f0f446bf0e458900643\r\nToneShell Persistence Component\r\n2f5cf595ac4d6a59be78a781c5ba126c2ff6d6e5956dc0a7602e6ba8e6665694\r\n0f2f0458d2f1ac4233883e96fe1f4cc6db1551cdcfdd49c43311429af03a1cd5\r\n011fe9974f07cb12ba30e69e7a84e5cb489ce14a81bced59a11031fc0c3681b7\r\n3fc4d023d96f339945683f6dc7d9e19a9a62b901bef6dc26c5918ce9508be273\r\n3a429b8457ad611b7c3528e4b41e8923dd2aee32ccd2cc5cf5ff83e69c1253c2\r\nf58d3d376c8e26b4ae3c2bbaa4ae76ca183f32823276e6432a945bcbc63266d9\r\n46c6ee9195f3bd30f51eb6611623aad1ba17f5e0cde0b5523ab51e0c5b641dbf\r\n86140e6770fbd0cc6988f025d52bb4f59c0d78213c75451b42c9f812fe1a9354\r\nToneShell Networking Component\r\na08e0d1839b86d0d56a52d07123719211a3c3d43a6aa05aa34531a72ed1207dc\r\n19d07dbc58b8e076cafd98c25cae5d7ac6f007db1c8ec0fae4ce6c7254b8f073\r\n8e801d3a36decc5e4ce6fd3e8e45b098966aef8cbe7535ed0a789575775a68b6\r\ndf4ba449f30f3ed31a344931dc77233b27e06623355ece23855ee4fe8a75c267\r\n345ef3fb73aa75538fdcf780d2136642755a9f20dbd22d93bee26e93fb6ab8fd\r\n3a5e69786ac1c458e27d38a966425abb6fb493a41110393a4878c811557a3b5b\r\nToneShell Functionality Component\r\n66b7983831cbb952ceeb1ffff608880f1805f1df0b062cef4c17b258b7f478ce\r\nf2a6a326fb8937bbc32868965f7475f4af0f42f3792e80156cc57108fc09c034\r\ndafa952aacf18beeb1ebf47620589639223a2e99fb2fa5ce2de1e7ef7a56caa0\r\n52cd066f498a66823107aed7eaa4635eee6b7914acded926864f1aae59571991\r\nCobalt Strike\r\n8129bd45466c2676b248c08bb0efcd9ccc8b684abf3435e290fcf4739c0a439f\r\nShadowPad\r\n1874b20e3e802406c594341699c5863a2c07c4c79cf762888ee28142af83547f\r\nRemCom\r\n3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71\r\nInfrastructure\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 12 of 13\n\nwww.uvfr4ep[.]com\r\nFeed-5613.coderformylife[.]info\r\n45.64.184[.]189\r\n43.254.132[.]242\r\n103.27.202[.]68\r\n67.53.148[.]77\r\n207.246.89[.]250\r\nFile Paths\r\nC:\\Users\\Public\\Videos\\\r\nC:\\Users\\Public\\Pictures\\\r\nC:\\Users\\Public\\Music\\\r\nC:\\Windows\\Help\\Help\\\r\nC:\\Windows\\Vss\\\r\nC:\\Windows\\Help\\mui\\\r\nC:\\Windows\\Help\\en-US\\\r\nC:\\Windows\\Logs\\logs\\\r\nC:\\Windows\\Logs\\files\\\r\nC:\\Windows\\Help\\Corporate\\\r\nC:\\PerfLogs\\\r\nC:\\Recovery\\\r\nSource: https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nhttps://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/" ], "report_names": [ "stately-taurus-attacks-se-asian-government" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434749, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b01245c7a479255740ad7cc6ae6407ea2691d0c.pdf", "text": "https://archive.orkl.eu/8b01245c7a479255740ad7cc6ae6407ea2691d0c.txt", "img": "https://archive.orkl.eu/8b01245c7a479255740ad7cc6ae6407ea2691d0c.jpg" } }