{ "id": "3f24d657-d3bb-4d41-a23c-f6314f6fed52", "created_at": "2026-04-06T00:13:20.250195Z", "updated_at": "2026-04-10T03:36:33.468713Z", "deleted_at": null, "sha1_hash": "cf37c4acb01e95ad7bbbd9e088caf6bc5c268f42", "title": "RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2567475, "plain_text": "RedDelta PlugX Undergoing Changes and Overlapping Again with\r\nMustang Panda PlugX Infrastructure\r\nPublished: 2021-06-02 · Archived: 2026-04-05 22:20:21 UTC\r\nFamily PlugX - RedDelta Variant\r\nThreat Actor Mustang Panda\r\nEncrypted 1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600\r\nDecryption\r\nKey\r\n0x78, 0x61, 0x6c, 0x72, 0x45, 0x5a, 0x6f, 0x78, 0x43, 0x59, 0x73, 0x71, 0x6c, 0x52, 0x6e,\r\n0x77, 0x78, 0x46, 0x63, 0x43, 0x46\r\nKey Length 21\r\nDecrypted ec1c29cb6674ffce989576c51413a6f9cbb4a8a41cbd30ec628182485a937160\r\nConfig C2 101.36.125.203:965\r\nConfig C2 101.36.125.203:110\r\nConfig C2 vitedannews.com:965\r\nConfig C2 vitedannews.com:110\r\nSummary\r\nMustang Panda (aka RedDelta, BRONZE PRESIDENT) is striving to make their PlugX variant more challenging\r\nto reverse statically. This RedDelta PlugX variant overlaps with instrastructure tied to Mustang Panda’s PlugX\r\nvariant, something we’ve seen before. Mustang Panda is believed to be a Chinese nation-sponsored espionage\r\ngroup. Public reporting shows MustangPanda targeting non-government organizations (NGOs), including\r\nreligious entities. They appear to focus locations in close proximity like Mongolia, Hong Kong, and Vietnam.\r\nMustang Panda is known for making use of PlugX, Posion Ivy, and Cobalt Strike. The PlugX sample covered in\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 1 of 15\n\nthis blog demonstrates how this group is continuing to evolve their toolset in a likely attempt to slow down\r\nresearchers and avoid security automation tools.\r\nKey Findings\r\nShares command and control infrastructure with other Mustang Panda PlugX binaries\r\nDecryption key length increased to 21 characters\r\nControl flow obfuscation added\r\nCode variations in the dynamic Windows API resolutions\r\nMustang Panda / RedDelta Connection\r\nWhen Recorded Future reported on RedDelta last year they differentiated between Mustang Panda and RedDelta.\r\nThey both make use of PlugX binaries, and due to binary similarities and overlapping infrastructure, we track\r\nthem as the same group. The key binary differences in the RedDelta PlugX version are:\r\nConfig block check for ########\r\nRC4 Encryption\r\nThe config block check is how we primarily distinguish between the Mustang Panda variant and the\r\nRedDelta variant. The “original” Mustang Panda variant uses XXXXXXXX .\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 2 of 15\n\nFigure 1: RedDelta Variant Config Check (ec1c29cb6674ffce989576c51413a6f9cbb4a8a41cbd30ec628182485a937160)\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 3 of 15\n\nOverlapping features between both of these variants include:\r\nPrepended XOR key\r\nShellcode in the MZ header\r\nStack Strings\r\nRolling Config XOR decryption key: 123456789\r\nThis sample contains all of these features including the RedDelta PlugX ones.\r\nWe believe with moderate confidence that this sample is tied to the Mustang Panda/RedDelta threat actor group.\r\nSimilar Yet Different\r\nEncrypted DAT File\r\nOn May 24 2021 an encrypted DAT file was uploaded to VirusTotal from Vietnam. The file was uploaded with the\r\nname SmadDB.dat and is encypted with a 21 byte XOR key prepended to the binary.\r\nFigure 2: MWDB\r\nWhile the majority of the RedDelta PlugX variants we have seen use a 10 byte prepended XOR key; this is not the\r\nfirst deviation. There are three others in our collection that have a prepended XOR key longer than 10 bytes.\r\nXOR Key\r\nLength\r\nSHA256 (Encrypted File)\r\n13 dba437c9030b5f857ce9820a0c9e2c252fd8aeda71c2101024d3576c446972a0\r\n15 a1eb4ce6eaa0c35ca4e8285c32b59cd0dfb34018b3f454d4fa4cebe9906534d8\r\n17 2304891f176a92c62f43d9fd30cae943f1521394dce792c6de0e097d10103d45\r\n21\r\n1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600 (most recent\r\nsample)\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 4 of 15\n\nThis is not the only change; control flow obfuscation is also being added to the malware.\r\nControl Flow Obfuscation\r\nMustang Panda is working on adding control flow obfuscation to their PlugX variant. This first example shows\r\ncontrol flow obfuscation added to the config decrypting routine.\r\nFigure 3:1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600\r\nWe don’t see this when comparing it to a prior sample (Figure 4).\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 5 of 15\n\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 6 of 15\n\nFigure 4: dba437c9030b5f857ce9820a0c9e2c252fd8aeda71c2101024d3576c446972a0\r\nIn addition to control flow obfuscating being added, the newest sample’s function (Figure 3) is updated to directly\r\nhouse the decryption routine versus it being in a separate function, as seen in the prior sample (Figure 5).\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 7 of 15\n\nFigure 5: XOR Routine - dba437c9030b5f857ce9820a0c9e2c252fd8aeda71c2101024d3576c446972a0\r\nOur second control flow obfuscation example in this binary is pulled from an API hashing algorithm.\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 8 of 15\n\nFigure 6: Control Flow Obfuscation - API Hashing Function\r\nNotice the multiple comparison statements controlling which branches are taken (Figure 6), making it harder to\r\nfollow the exection flow.\r\nMustang Panda appears to be adding control flow obfuscation to parts of their code but it does not exist in all of\r\nthe functions yet. They don’t stop with control flow obfuscation; they are also modifing how the dynamic\r\nWindows API lookup is being performed.\r\nResolving Windows API Calls\r\nThe binary also contains deviations in how it dynamically resolves Windows API functions. Figure 7 shows how\r\nthe previous samples did this.\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 9 of 15\n\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 10 of 15\n\nFigure 7: Prior Dynamic API Calling (dba437c9030b5f857ce9820a0c9e2c252fd8aeda71c2101024d3576c446972a0)\r\nNotice the API name is built on the stack and then resolved using GetProcAddress. They do this consistantly\r\nthroughout the binary when dynamically resolving API calls.\r\nThe new sample, ec1c29cb6674ffce989576c51413a6f9cbb4a8a41cbd30ec628182485a937160, changes things up\r\na bit by using two slightly different variations on the same pattern to resolve Windows API calls.\r\nAdded Techinque - Method 1\r\nThe first method involves using API hashing to get LoadLibraryA and GetProcAddress function pointers. The\r\nAPI hashing code is placed inline with the rest of the function. It’s not separated into its own function. This is an\r\nimportant distinction as the next method does separate it out. The API name is built on the stack between resolving\r\nGetProcAddress and LoadLibraryA . The final step is to execute the Windows function hidden in the stack\r\nstring. The diagram below outlines the process in more detail.\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 11 of 15\n\nFigure 8: Dynamic API Calling (Method 1)\r\nAdded Technique - Method 2\r\nThe second method is similar to the first but the Windows API hashing algorithm is placed into a separate\r\nfunction. The Windows API names may or may not be encrypted. Figure 9 shows the function’s flow with the\r\nstack strings being encrypted. The unencrypted strings follow this same pattern minus the decryption loop.\r\nFigure 9: Dynamic API Calling (Method 2)\r\nThe next difference noted is around string obfuscation.\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 12 of 15\n\nString Obfuscation\r\nThe older samples primarily make use of stack strings to hide from tools like strings.exe. This new sample uses a\r\nmixture of stack strings with and without XOR encryption. The index of the character being decrypted makes up\r\none part of the XOR key for that letter. The second part is a constant they add to it to get the final XOR key.\r\nThe string decryption function (for example, Figure 9) can be represented in Python as:\r\ndef str_decrypt(value: [bytes], xor_key_modified_by: int) -\u003e str:\r\n plain_text = []\r\n for idx, val in enumerate(value):\r\n plain_text.append(chr(val^(idx+xor_key_modified_by)))\r\n return ''.join(plain_text)\r\nTo call it, pass an array of bytes and the constant to add to the XOR key. For example:\r\n\u003e\u003e\u003e str_decrypt([0x03, 0x0c, 0x18, 0x05, 0x09, 0x01, 0x5d, 0x5d], 0x68)\r\n'kernel32'\r\nThey don’t always modify the XOR key by 0x68 ; sometimes they use other values like 0x2c .\r\nMustang Panda and RedDelta Infrastructure Overlap\r\nThis PlugX’s config contains two previously seen Mustang Panda command and control servers;\r\n101.36.125.203\r\nvitedannews.com\r\nInfrastructure Pivot\r\nClick a Node to Load Details Below\r\nThere are 7 samples in our repository that share the IP, 101.36.125.203, and one other sample that shares the\r\ndomain, vitedannews.com. All of these samples contain the XXXXXXXX config value check making them the\r\nMustang Panda variant. This RedDelta variant\r\n(ec1c29cb6674ffce989576c51413a6f9cbb4a8a41cbd30ec628182485a937160) makes the second instance where\r\nthe IP/Domains overlap with the “original” Mustang Panda PlugX variant. More about the first instance can be\r\nfound on ThreatConnect’s blog. This second infrastructure overlap further strenghtens our theory of them being\r\nthe same group or at least sharing personnel/infrastructure.\r\nConclusion\r\nOver all we believe Mustang Panda will continue evolving the RedDelta variant to help further thwart detection as\r\ntime goes on. Historically the .dat file (the encrypted PlugX file) is loaded using a sideloaded dll which does the\r\nloading, decrypting, and passing execution on to this PlugX binary. These three files are sometimes packaged\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 13 of 15\n\nusing a self extracting SFX file. We can’t be certain that the updated variant was delivered in the same fashion, but\r\nthat would be something to look for.\r\nFeedback welcomed via Twitter.\r\nAppendix\r\nAPI Hashing\r\nSpotting the Hashing Routine Inside Control Flow Obfucation\r\nTaking our knowledge of API hashing algorithms (most, if not all, API hashing routines loop through each\r\ncharacter of the API name and apply the hashing algorithm to it) we can find the only part of the algorithm we\r\nreally care about, the hashing routine. The GIF starts from a zoomed out position to identify a loop for inspection\r\nbefore zooming in on the hashing algorithm loop.\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 14 of 15\n\nFigure 10: Control Flow Obfuscation - API Hashing Loop\r\nRewriting the Hashing Algorithm in Python\r\nThe API hashing algorithm can be re-written in Python as:\r\ndef hasher(name: str):\r\n ebp = 0x811c9dc5\r\n for dl in name:\r\n edx = ord(dl) ^ ebp\r\n ebp = (edx * 0x1000193) \u0026 0xffffffff\r\n print(hex(ebp))\r\nLoadLibraryA == 0x53b2070f\r\nGetProcAddress == 0xf8f45725\r\nIOCs\r\n1c7897a902b35570a9620c64a2926cd5d594d4ff5a033e28a400981d14516600\r\nec1c29cb6674ffce989576c51413a6f9cbb4a8a41cbd30ec628182485a937160\r\n101.36.125.203\r\nvitedannews.com\r\ndba437c9030b5f857ce9820a0c9e2c252fd8aeda71c2101024d3576c446972a0\r\na1eb4ce6eaa0c35ca4e8285c32b59cd0dfb34018b3f454d4fa4cebe9906534d8\r\n2304891f176a92c62f43d9fd30cae943f1521394dce792c6de0e097d10103d45\r\n2f58a869711d2b28e6ecaac25cc2166daa46f7adfb719b7dd334e01c1474ca9b\r\n2bfd100498f70938dedef42116af09af2db77ef1315edcea0ffd62c93015ddf5\r\nb87d1c01daee804c7330d5ac6273e5dcba886e1663c929709c158fd45b11a7ba\r\n4e30cfa4f3d3bd6192818c5619eb7f6a26a408ae9fd62a7629059f47466f757b\r\n2531af12360e29b73b545210e1cbdfc2459c95e2827d3246e9d6933820a808dd\r\n4b1dbb3fc4adba3a83a563e5e86afb56136a1f9ba0293ad21a00e031b88b2ad9\r\nf631e8f0c723cccbc5b26387f4100351de2e158b6770e962733734be6ca119d5\r\n76f44175f88984367ad62c81d1dcc947b1a26d6832fd33569d2c21113c1ddee2\r\nSource: https://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nhttps://blog.xorhex.com/blog/reddeltaplugxchangeup/\r\nPage 15 of 15\n\n https://blog.xorhex.com/blog/reddeltaplugxchangeup/ \n Figure 4: dba437c9030b5f857ce9820a0c9e2c252fd8aeda71c2101024d3576c446972a0 \nIn addition to control flow obfuscating being added, the newest sample’s function (Figure 3) is updated to directly\nhouse the decryption routine versus it being in a separate function, as seen in the prior sample (Figure 5).\n Page 7 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.xorhex.com/blog/reddeltaplugxchangeup/" ], "report_names": [ "reddeltaplugxchangeup" ], "threat_actors": [ { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434400, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf37c4acb01e95ad7bbbd9e088caf6bc5c268f42.pdf", "text": "https://archive.orkl.eu/cf37c4acb01e95ad7bbbd9e088caf6bc5c268f42.txt", "img": "https://archive.orkl.eu/cf37c4acb01e95ad7bbbd9e088caf6bc5c268f42.jpg" } }