{ "id": "fcf65d06-3fa6-4f55-8dd2-4a035a6cb301", "created_at": "2026-04-06T00:17:49.028366Z", "updated_at": "2026-04-10T03:36:33.531358Z", "deleted_at": null, "sha1_hash": "9fdf30470699a4f4119bcbff25841aaa6a9633ee", "title": "Emulating the Politically Motivated Chinese APT Mustang Panda - AttackIQ", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2721458, "plain_text": "Emulating the Politically Motivated Chinese APT Mustang Panda -\r\nAttackIQ\r\nBy Ken Towne\r\nPublished: 2023-03-23 · Archived: 2026-04-02 11:46:58 UTC\r\nMustang Panda is a state-sponsored and politically motivated Chinese adversary that has been active since at least\r\n2012. This actor, also known as Bronze President, TA416, HoneyMyte, and TEMP.Hex, is closely aligned with\r\nChinese interests, demonstrating a particular focus on organizations located in the United States and Southeast\r\nAsia.\r\nOne of the primary tools used by this adversary is a shared piece of Chinese malware known as PlugX. This piece\r\nof malware has been used by multiple Chinese actors since 2008 and is a remote access Trojan (RAT) commonly\r\nused to establish a persistent backdoor, conduct environmental reconnaissance efforts, exfiltrate sensitive data, and\r\nexecuting additional payloads. Additionally, recent attacks have used a new bespoke malware family called\r\nTONESHELL as the actor’s primary payload believed to be exclusive to Mustang Panda.\r\nAttackIQ has released two new attack graphs that seek to emulate Mustang Panda with the objective of helping\r\ncustomers validate their security controls and their ability to defend against this threat. Validating your security\r\nprogram performance against these behaviors is vital in reducing risk. By using these new attack graphs in the\r\nAttackIQ Security Optimization Platform, security teams will be able to:\r\nEvaluate security control performance against recently active Chinese APT activity.\r\nAssess their security posture against an actor who globally targets Government and Defense organizations.\r\nContinuously validate detection and prevention pipelines against other Chinese actors who also leverage\r\nPlugX in the attacks.\r\nMustang Panda – 2022-12 – European Commission-themed Lure leads to PlugX\r\nInfection\r\nhttps://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/\r\nPage 1 of 6\n\n(Click for Larger)\r\nIn December 2022, Mustang Panda was observed targeting multiple entities in Europe using a new custom variant\r\nof the PlugX backdoor. During this attack, the adversary used a malicious Optical Disc Image (ISO) file which\r\nafter being double clicked is mounted and contains a Shortcut (LNK) file decoyed as a European Commission-themed document lure. This file is used to deploy PlugX leading to data exfiltration of sensitive information.\r\n(Click for Larger)\r\nThis attack graph starts by saving and mounting an ISO image file to execute the payload contained inside.\r\nSubsequently, a Shortcut file (LNK) is saved which subsequently drops 3 new files: a legitimate executable, the\r\nPlugX loader, and the encrypted PlugX malware. Then, the PlugX loader is executed via DLL Search Order\r\nHijacking.\r\nSubvert Trust Controls: Mark-of-the-Web Bypass (T1553.005): This scenario bypasses MOTW by\r\ndownloading and mounting an ISO image on the system to execute the payload contained inside.\r\nIngress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios\r\nto test network and endpoint controls and their ability to prevent the delivery of known malicious content.\r\nHijack Execution Flow: DLL Search Order Hijacking (T1574.001): This scenario takes advantage of\r\nMicrosoft’s Dynamic-Link Library (DLL) search order to load a rogue DLL into a system binary, leveraging the\r\nfact that the system binary will be often trusted by system administrators so that malicious code can run inside it\r\nwithout being examined.\r\n(Click for Larger)\r\nhttps://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/\r\nPage 2 of 6\n\nIn the second stage of the attack, malicious code is injected into an active process on the system and subsequently\r\nobtains persistence through Registry Run Keys. Communications with the adversary’s infrastructure is established\r\nwhich initiates the environment discovery stage.\r\nProcess Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary\r\nfile can be created.\r\nRegistry Run Keys / Startup Folder (T1547.001): The attack graph will attempt to create a new registry Run\r\nkey to achieve persistence on the host.\r\nApplication Layer Protocol: Web Protocols (T1071.001): This scenario emulates the HTTP requests made by\r\nthe PlugX backdoor by making an HTTP GET to an AttackIQ server that mimics the URL format and data sent by\r\na real infection.\r\nFile and Directory Discovery (T1083): A batch script is executed that lists all files and directories in\r\n%ProgramFiles% and the %systemdrive%\\Users directory.\r\nSystem Information Discovery (T1082): The native systeminfo command is executed to retrieve all of the\r\nWindows system information.\r\nSystem Location Discovery (T1614): The attack graph executes Windows native API calls to\r\nGetUserDefaultUILanguage , GetSystemDefaultUILanguage , and GetKeyboardLayoutList with the objective of\r\nlanguage discovery of the system.\r\nSystem Network Configuration Discovery (T1016): The network configuration of the asset is collected using\r\nstandard Windows utilities like ipconfig , arp , route , and nltest .\r\nInternet Connection Discovery (T1016.001): The actors used a ping to Google’s 8.8.8.8 DNS server to verify\r\nif they could connect to the internet.\r\n(Click for Larger)\r\nFinally, in the last stage of the attack, final discovery actions are completed before exfiltrating the collected\r\ninformation.\r\nSystem Owner / User Discovery (T1033): Live off the land by running whoami and users to gain details\r\nabout the currently available accounts and permission groups.\r\nSystem Time Discovery (T1124): The scenario identifies the time and time zone of the compromised system\r\nthrough the net time command.\r\nProcess Discovery (T1057): Window’s built-in tasklist command is executed as a command process and the\r\nresults are saved to a file in a temporary location.\r\nhttps://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/\r\nPage 3 of 6\n\nSoftware Discovery (T1518): A registry key containing entries for all the software installed on the victim asset.\r\nReg.exe is used to access HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall .\r\nPeripheral Device Discovery (T1120): This scenario retrieves information about systems peripherals such as\r\nlogical drives, physical memory, network cards through the execution of commands and binaries.\r\nData from Removable Media (T1025): The native utility fsutil is used to identify any additional hard disks\r\nconnected to the host. PowerShell is then used to iterate through every removable media device and harvest a list\r\nof files.\r\nExfiltration Over C2 Channel (T1041): A large amount of data is exfiltrated over HTTP requests mimicking the\r\ndata exfiltration method used by the adversary.\r\nMustang Panda – 2022-05 – Global Phishing Campaign against Government\r\nTargets\r\n(Click for Larger)\r\nSince March 2022, Mustang Panda has been observed carrying out global spearphishing attacks against the\r\nGovernment and Education sectors. During this activity, the adversary abused fake Google accounts to distribute\r\nmalware via attachments or Google Drive links. The actor leveraged a newer malware family called TONESHELL\r\nand its loaders that so far have been reported to be exclusive to this threat actor. The goal of this attack graph is to\r\nestablish a foothold and make the initial connections to the actor’s infrastructure.\r\n(Click for Larger)\r\nThis attack graph begins with the download and saving of a malicious ZIP file, which contains a legitimate\r\nexecutable and the TONEINS loader in DLL format. The executable main objective is to perform DLL Side-Loading. Persistence is obtained through a scheduled task named “ ServiceHub.TestWindowStoreHost “.\r\nHijack Execution Flow: DLL Side-Loading (T1547.002): Bundles a DLL with a Windows executable that is\r\nsusceptible to DLL Side-Loading to execute actor code.\r\nhttps://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/\r\nPage 4 of 6\n\nScheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the\r\nschtasks utility.\r\n(Click for Larger)\r\nIn the second and final stage of the attack, TONESHELL is executed using DLL Side-Loading before the malware\r\nmakes some simple discovery requests to identify the victim machine.  The final step is a request to the actor’s\r\ncommand and control infrastructure to receive additional commands.\r\nWindows Management Instrumentation (T1047): A WMI query used to retrieve the disk serial number:\r\nSELECT volumeserialnumber FROM win32_logicaldisk WHERE Name='C:'\r\nDetection and Mitigation Opportunities\r\nWith so many different techniques being used by threat actors, it can be difficult to know which to prioritize for\r\nprevention and detection assessment. AttackIQ recommends first focusing on the following techniques:\r\n1. Process Injection (T1055) and 2. DLL Side-Loading (T1547.002):\r\nBoth malware families are using techniques that obscure the true source of malicious activity. By either injecting\r\ninto another process or using side-loading to load malicious code into a legitimate process actors can try to hide in\r\nnormal system operating noise or abuse overzealous whitelisting:\r\n1a. Detection\r\nSearching for common processes that are performing uncommon actions can help identify when a process has\r\nbeen compromised. It would be uncommon for these processes to be executing additional process or performing\r\ndiscovery techniques. You can look for similar activity using a signature like:\r\nParent Process Name CONTAINS (‘explorer.exe’ OR ‘svchost.exe’)\r\nCommand Line CONTAINS (‘set’ OR ‘whoami’ OR ‘ping’ OR ‘dir’)\r\n1b. Mitigation\r\nM1040 – Behavior Prevention on Endpoint\r\nM1026 – Privileged Account Management\r\n2. Scheduled Task/Job: Scheduled Task (T1053.005)\r\nAdversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution\r\nof malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be\r\nrun directly from the command line, or the Task Scheduler can be opened through the GUI within the\r\nAdministrator Tools section of the Control Panel.\r\nhttps://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/\r\nPage 5 of 6\n\n2a. Detection\r\nWith an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious\r\ntask:\r\nProcess Name = (“cmd.exe” OR “Powershell.exe”)\r\nCommand Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)\r\n2b. Mitigation\r\nMITRE ATT\u0026CK has the following mitigation recommendations:\r\nM1047 – Audit\r\nM1028 – Operating System Configuration\r\nM1026 – Privileged Account Management\r\nM1018 – User Account Management\r\nWrap-up\r\nIn summary, these attack graphs will evaluate security and incident response processes and support the\r\nimprovement of your security control posture against another a prolific Chinese threat actor. With data generated\r\nfrom continuous testing and use of these attack graphs, you can focus your teams on achieving key security\r\noutcomes, adjust your security controls, and work to elevate your total security program effectiveness against a\r\nknown and dangerous threat.\r\nAttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ\r\nSecurity Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.\r\nSource: https://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/\r\nhttps://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/" ], "report_names": [ "emulating-the-politically-motivated-chinese-apt-mustang-panda" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434669, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9fdf30470699a4f4119bcbff25841aaa6a9633ee.pdf", "text": "https://archive.orkl.eu/9fdf30470699a4f4119bcbff25841aaa6a9633ee.txt", "img": "https://archive.orkl.eu/9fdf30470699a4f4119bcbff25841aaa6a9633ee.jpg" } }