{ "id": "44f3b4cd-5e97-4367-ad4c-3bdca5a3d16f", "created_at": "2026-04-06T00:13:45.676259Z", "updated_at": "2026-04-10T03:36:33.524193Z", "deleted_at": null, "sha1_hash": "d08e3c026f47ba60d151e46961e6091f009bff9d", "title": "Mustang Panda deploys a new wave of malware targeting Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2878971, "plain_text": "Mustang Panda deploys a new wave of malware targeting Europe\r\nBy Asheer Malhotra\r\nPublished: 2022-05-05 · Archived: 2026-04-05 14:55:13 UTC\r\nIn February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos\r\nbegan observing the China-based threat actor Mustang Panda conducting phishing campaigns against\r\nEuropean entities, including Russian organizations. Some phishing messages contain malicious lures\r\nmasquerading as official European Union reports on the conflict in Ukraine and its effects on NATO\r\ncountries. Other phishing emails deliver fake \"official\" Ukrainian government reports, both of which\r\ndownload malware onto compromised machines.\r\nMustang Panda has been known to use themed lures relating to various current-day events and issues,\r\nincluding the COVID-19 pandemic, international summits and various political topics.\r\nWhile the Ukraine-related Mustang Panda developments have been reported by at least one other security\r\nfirm, we identified additional samples that have not been cited in open-source reporting.\r\nApart from targeting European countries, Mustang Panda has also targeted organizations in the U.S. and\r\nAsia.\r\nIn these campaigns, we've observed the deployment of Mustang Panda's PlugX implant,  custom stagers\r\nand reverse shells and meterpreter-based shellcode, all used to establish long-term persistence on infected\r\nendpoints with the intention of conducting espionage.\r\nThreat actor profile\r\nMustangPanda, also known as \"RedDelta\" or \"Bronze President,\" is a China-based threat actor that has targeted\r\nentities all over the world since at least 2012, including American and European entities such as government\r\norganizations, think tanks, NGOs, and even Catholic organizations at the Vatican.\r\nWe've also observed extensive targeting of Asian countries as well, such as the Taiwanese government, activists in\r\nHong Kong, NGOs in Mongolia and Tibet, Myanmar and even Afghan and Indian telecommunication firms.\r\nThe threat actor heavily relies on sending lures via phishing emails to achieve initial infection. These lures often\r\nmasquerade as legitimate documents of national and organizational interest to the targets. These infection vectors\r\ndeploy malware predominantly consisting of the PlugX remote access trojan (RAT) with custom stagers, reverse\r\nshells, meterpreter and Cobalt Strike, which act as another mechanism for achieving long term access into their\r\ntargets. One thing remains consistent across all these campaigns — Mustang Panda is clearly looking to conduct\r\nespionage campaigns.\r\nThreat actor TTPs\r\nMustang Panda's recent activity targets European entities, including Russian targets, and uses political themes to\r\ndeliver the PlugX family of malware implants.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 1 of 27\n\nTypical infection chains employed by Mustang Panda consist of three key components:\r\nBenign executable: Used to side-load a malicious DLL.\r\nMalicious DLL (loader): The malicious DLL accompanying the executable is usually a loader for the\r\nPlugX implant, typically an encrypted or encoded blob of data deployed by the loader DLL.\r\nPlugX implant: A RAT implant used extensively by Mustang Panda. It consists of a malicious DLL that\r\ncan perform a variety of actions on the infected endpoint including downloading and deploying new\r\nmodules/plugins.\r\nStagers and reverse shells: Instead of using PlugX, the attackers will sometimes use DLLs acting as\r\ncustom developed stagers, meterpreter-based shellcode downloaders and even custom reverse shells.\r\nInfection chains utilized by the APT group typically consist of:\r\nExecutable downloaders: These downloaders are delivered packaged in an archive. The downloaders are\r\nresponsible for fetching and instrumenting various infection artifacts, resulting in the deployment of the\r\nPlugX implant on the infected endpoint.\r\nArchive based infections: Malicious archives delivered to targets typically consist of a benign executable\r\nwith names meant to trick victims into executing them. The executable will load a malicious DLL which\r\ncan either be the loader for the PlugX implant or a reverse shell or meterpreter-based shellcode\r\ndownloader.\r\nShortcut files: Shortcuts (LNK files) delivered to victims consist of all the infection components\r\nembedded in the LNK files. These consist of intermediate components like BAT files that are meant to load\r\nthe malicious DLLs which may be PlugX loaders or stagers.\r\nMaldocs: We've also observed limited use of maldocs to target entities in Asia with the stagers and\r\nmeterpreter payloads to execute the next stage of shellcode payloads.\r\nTargets across the world\r\nEuropean political lures\r\nThis attacker started attacks earlier this year  where a vast majority of the lures and decoys consisted of themes\r\nrelated to the European Union (EU). For example, in early January 2022, we saw the attackers employ a lure that\r\nconsisted of a European Commision report on state aid to Greece between 2022 and 2027. Toward the end of\r\nJanuary, the attackers started using a press release from the EU regarding the union's human rights priorities in\r\n2022.\r\nThe attackers also started taking advantage of publications and documents related to the degrading relations\r\nbetween Ukraine and Russia. In late January, the group started spreading a lure containing PlugX that disguised\r\nitself as a report from the EU's general secretary.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 2 of 27\n\nWhen Russia invaded Ukraine on Feb. 24, 2022, the attackers started using related documents to infect their\r\ntargets. A lure from Feb. 28 was disguised as a report on the situation along European borders with Ukraine, while\r\nanother one in March consisted of a report on the situation along the European borders with Belarus.\r\nWhile the threat actors continued the use of regional and topical events in Eastern Europe, they also used other\r\ntopics of interest to infect their victims. In March, we observed the use of a lure targeting Russian agencies, a\r\nmalicious executable delivering the PlugX implant, named \"Благовещенск - Благовещенский Пограничный\r\nОтряд.exe\" roughly translating to \"Blagoveshchensk - Blagoveshchensk Border Guard Detachment.exe,\" a report\r\non the border detachment to Blagoveshchensk, a town of strategic importance to Russia, located on the Sino-Russian border.\r\nAmerican-themed political lures\r\nSince at least May 2016, Mustang Panda has operated campaigns targeting multiple entities in the United States.\r\nAdditionally, the APT has frequently used overlapping topics of interest to multiple entities across the globe.\r\nSome of their lures such as \"U.S. Asst Secretary of State Visit to ASEAN Countries.rar\" from December 2021 and\r\n\"Biden's attitude towards the situation in Myanmar.zip\" from February 2021 reaffirm this trend of targeting two\r\nbirds with one stone. In all these instances, we observed the use of stagers as the final payloads in the infection\r\nchains instead of a direct deployment of PlugX.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 3 of 27\n\nAsian-themed lures\r\nMustang Panda has been extremely prolific in targeting various government entities in Asian countries over the\r\npast few years such as those in Myanmar, Hong Kong, Japan and Taiwan.\r\nThe threat actor has aggressively targeted the government of Myanmar since 2019, even breaching their websites\r\non multiple occasions to host malware payloads. This targeting continued into 2021 with lures related to the\r\nNational Unity Government of Myanmar and its People's Defence Force. All these attacks resulted in the\r\ndeployment of an implant executing meterpreter HTTP shellcode.\r\nMustang Panda has frequently used the ASEAN summit as a topic for their lures to infect individuals participating\r\nin this summit. Using such topics enables the APT to infect a wide range of targets (the ASEAN association\r\nconsists of 10 member countries in Southeast Asia). This tactic is in line with Mustang Panda's practice of using\r\nan overlapping topic of interest to target multiple entities with the same lures.\r\nIn March 2021, the APT targeted government entities in Hong Kong using a malicious archive named\r\n\"Report.rar\". This archive contained a lure named \"Report 18-3-2021 101A.exe\" for sideloading a malicious DLL-based meterpreter stager. The keyword \"101A\" refers to Section 101A of the Criminal Procedure Ordinance which\r\ndictates terms of use of force in making arrests in Hong Kong, a hot topic on account of recent civil unrest and\r\nprotests.\r\nJapanese government officials have also been targeted recently using lures masquerading as minutes of the\r\nJapanese cabinet's meetings in 2021. Lures such as \"210615_Cabinet_Meeting_Minutes.exe\" and \"210831_21st\r\nCabinet Meeting Minutes.rar\" have been actively used to infect victims with custom stagers.\r\nLatest infection vectors\r\nDownloaders\r\nBeginning in 2022, we observed Mustang Panda distributing malicious executables acting as downloaders, and\r\ndisguised as fake reports on various Europe-related subjects as initial infection vectors against targets in Europe.\r\nThese executables were usually distributed wrapped up in an archive file to the targets. Recently, ESET disclosed\r\na similar infection delivering a previously unknown PlugX variant.\r\nAs recently as March 2022, we discovered a downloader pretending to be a report on the current situation along\r\nEuropean borders with Belarus. In another instance, we observed an executable named \"Благовещенск -\r\nБлаговещенский Пограничный Отряд.exe\" roughly translating to \"Blagoveshchensk - Blagoveshchensk Border\r\nGuard Detachment.exe\", a report on the border detachment to Blagoveshchensk, a town located on the Sino-Russian border.\r\nThe downloader loads all the artifacts in the infection chain. All the artifacts are data files that need to be decoded\r\nby the various infection components before being activated on the infected endpoint. There are four components\r\ndownloaded as part of the infection chain:\r\nThe first component is a decoy PDF masquerading as an official European Union report on the conflict in\r\nUkraine and its effects on NATO countries. This document is not malicious and only serves to project\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 4 of 27\n\nauthenticity and distract the victim.\r\nA benign executable that loads the third component — a malicious DLL-based loader — via the DLL\r\nsideloading technique. DLL sideloading involves tricking a benign process into loading a malicious DLL\r\nthat disguises itself as legitimate.\r\nThe DLL loader responsible for decoding, loading and activating the final malicious implant, is also a\r\nDLL. First, it reads a data file downloaded by the downloader binary from a hardcoded location on disk\r\nand decodes the data file into a DLL. Then, the loader reflectively loads the final DLL-based implant into\r\nthe memory of the current process and runs it.\r\nA RAT called PlugX, Mustang Panda's malware of choice.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 5 of 27\n\nDecoy document consisting of a report from the European Commission on the current security\r\nstatus of EU borders with Belarus.\r\nThe benign executable is executed on the endpoint using a command such as:\r\ncmd.exe /c ping.exe 8.8.8.8 -n 70\u0026\u0026\"%temp%\\FontEDL.exe\"\r\nThe executable is simply meant to load the DLL and call one of its exported APIs to activate its malicious\r\nfunctionality.\r\nExecutable loading the PlugX loader DLL.\r\nMalicious DLL — PlugX loader\r\nThe malicious DLL is the actual loader for the PlugX implant downloaded by the initial downloader as a DAT file.\r\nThis DLL is loaded into by the benign process and carries out the following actions:\r\nRead a data file downloaded earlier by the downloader binary from a hardcoded location.\r\nDecode the data file into a DLL.\r\nReflectively load the new DLL into the current process' memory and run it.\r\nThe new DLL is the actual PlugX implant.\r\nPlugX loader decodes and jumps to execute the actual implant DLL in memory.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 6 of 27\n\nThe infection chain is as follows:\r\nToward the end of March 2022, however, the attackers made another update to their tactics. This time, the\r\ndownloader executable would use only two remote URLs to obtain all the components of the infection chain.\r\nWhile one URL would host the decoy document, the other URL hosts the benign exe, the implant loader DLL and\r\nthe encrypted PlugX implant. Once the payloads are downloaded and decrypted, they are activated using the same\r\ntechnique illustrated earlier — the EXE loads a DLL-based loader that decrypts the final PlugX payload and\r\ndeploys it. The themes used in these lures pertained to Europe with malicious downloaders named \"Invitation\r\nletter_ECGFF_Frontex_WS_final_countersigned.exe\" and \"Latest analyses of Russia's war on Ukraine.exe.\"\r\nArchive-based infections\r\nWhile Mustang Panda recently began using downloader executables, the group continues to deliver their malware\r\nvia archive files consisting of a benign executable that loads and activates the accompanying malware payload\r\nDLL, which they have done since at least 2019.\r\nPlugX\r\nThroughout 2021, we observed the use of malicious archives containing an executable (loader), a DLL-based\r\nloader and an encrypted blob of data (DAT file) being delivered to targets. It's responsible for decrypting the DAT\r\nfile containing the PlugX implant.\r\nThe executable is typically executed via:\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 7 of 27\n\nSocial engineering: Disguising the initial executable as a legitimate document to trick the target into\r\nopening it, thereby starting the infection chain.\r\nShortcut file: A shortcut file that executes an intermediate component, such as a BAT file that runs the\r\nexecutable.\r\nBAT file instrumenting the executable.\r\nBespoke stagers\r\nMustang Panda infections in late January 2022 resulted in the deployment of bespoke stagers that downloaded\r\nadditional shellcode from a remote location that would, in turn, be deployed on the infected endpoint.\r\nThe sager typically arrives in the form of an archive on the target's endpoint. The archive contains an executable\r\nthat needs to be executed by the victims. Once executed, it loads the accompanying DLL, which is the key\r\nmalicious component. The DLL is responsible for decoding an embedded blob of shellcode, which, when\r\nexecuted, acts as a stager that can download and execute additional shellcode from a C2 IP address.\r\nThis infection tactic has been heavily used by Mustang Panda in Asia. For example, in February 2022, in a\r\ncampaign targeting users from Southeast Asian countries, the group used an archive-file-based lure masquerading\r\nas documents pertaining to the ASEAN Summit.\r\nThe archive consists of an executable named \"ASEAN Leaders'Meeting.exe\" that loads the accompanying DLL-based implant. The executable is a legitimate copy of a component belonging to the KuGou Active Desktop\r\napplication. It imports two exported APIs form the malicious PlugX DLL to activate the implant.\r\nStager analysis\r\nThe stager begins by creating persistence for itself across reboots via the registry Run key using the command and\r\nliving-off-the-land binaries and scripts (LoLBAS):\r\nc:\\windows\\system32\\cmd.exe /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Amdesk\r\n/t REG_SZ /d \"Rundll32.exe SHELL32.DLL,ShellExec_RunDLL\r\n\"C:\\Users\\Public\\Libraries\\active_desktop\\desktop_launcher.exe\"\" /f\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 8 of 27\n\nStager setting up persistence for itself.\r\nAdditionally, it will also set up persistence for itself to run every minute on the infected endpoint by creating a\r\nScheduled Task on the system using the command:\r\nC:\\windows\\system32\\schtasks.exe /F /Create /TN Microsoft_Desktop /sc minute /MO 1 /TR\r\nC:\\Users\\Public\\Libraries\\active_desktop\\desktop_launcher.exe\r\nThe implant will then decode and activate the next shellcode via a new thread.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 9 of 27\n\nShellcode decoding functionality interlaced with junk debug strings referencing Qihoo 360's\r\nHeliosTeam.\r\nThe shellcode decodes DLL and API names and resolves them for later use. The DLL names are hashed using the\r\nror13AddHash32 algorithm:\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 10 of 27\n\nImplant building API imports.\r\nThe implant will then collect the following information from the endpoint and send it to the C2:\r\nVolume serial number, which it obfuscates by adding 0x12345678. The final result is sent to C2.\r\nRetrieves the computer name and username and length.\r\nRetrieves the uptime of the host.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 11 of 27\n\nImplant collecting system information to send to the C2.\r\nThe collected host info is RC4 encrypted before sending it over to the C2. The RC4 key used is (hex): 78 5a 12\r\n4d 75 14 14 11 6c 02 71 15 5a 73 05 08 70 14 65 3b 64 42 22 23 20 00 00 00 00 00 00 00\r\nPre-encryption:\r\nFormat : 0x0A + \u003cEncoded Volume serial number \u003e + \u003cuptime\u003e + \u003chostname\u003e + \u003cusername\u003e\r\nPost-encryption:\r\nThe shellcode then attempts to connect to the C2 IP address to retrieve additional shellcode that can then be\r\nexecuted on the infected endpoint.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 12 of 27\n\nImplant's capability to receive more shellcode from the C2.\r\nExecution of downloaded shellcode on the endpoint.\r\nAnother type of stager employed by Mustang Panda, first seen in 2019 and still active as of December 2021, binds\r\nitself locally to the infected endpoint and listens for any incoming requests. It only accepts incoming requests\r\nfrom a hardcoded C2 address and executes any shellcode received from the C2.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 13 of 27\n\nStager binding to local address for listening to incoming requests.\r\nMeterpreter\r\nAnother type of stager used by Mustang Panda, some as recently as late 2021, are DLL-based implants that\r\ndecode and execute Meterpreter reverse-HTTP payloads to download and execute even more payloads from the\r\nC2. We observed this actor using Meterpreter dating back to 2019, when it was deployed via malicious archives\r\nhosted on the Myanmar government's website. Meterpreter's use as an intermediate access mechanism continued\r\nat least into June 2021, with a brief lull, followed by the adoption of bespoke stagers in 2022.\r\nReverse shell\r\nIn late February 2022, the threat actors used another previously undisclosed Ukrainian-themed lure named\r\n\"Офіційна заява Апарату РНБО України\\Про введення в дію плану оборони України та Зведеного плану\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 14 of 27\n\nтериторіальної оброни України.exe\", which roughly translates to \"official statement from the National Security\r\nand Defense Council of Ukraine.\"\r\nThis infection chain consisted of activating a simple, yet new, TCP-based reverse shell using cmd.exe as opposed\r\nto directly deploying the PlugX implant, stagers and Meterpreter seen in parallel infection chains from Mustang\r\nPanda.\r\nThe reverse shell DLL will copy itself and the executable responsible for loading it into a folder on a target\r\nmachine's disk, such as:\r\nC:\\Users\\Public\\Libraries\\iloveukraine\\Microsoft_Silverlight.exe\r\nC:\\Users\\Public\\Libraries\\iloveukraine\\kdump.dll\r\nThe implant is also responsible for setting up persistence on the system to ensure the reverse shell runs once a\r\nminute via a scheduled task:\r\nC:\\windows\\system32\\schtasks.exe /F /Create /TN Microsoft_Silverlight /sc minute /MO 1 /TR\r\nC:\\Users\\Public\\Libraries\\iloveukraine\\Microsoft_Silverlight.exe\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 15 of 27\n\ncmd.exe-based reverse shell created by the implant.\r\nReverse shell infection chain:\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 16 of 27\n\nShortcut files (LNK)\r\nThe use of shortcut files (LNK) has been a popular technique with Mustang Panda since at least 2019 against\r\nentities in Asian countries. While the frequency of use of this tactic has reduced over the past couple of years it is\r\nstill seen being sporadically utilized by the threat actors. As late as March 2021, a shortcut file targeting users in\r\nMyanmar deployed Mustang Panda's Stager against their targets.\r\nThis shortcut file consists of a command to extract content from itself and execute as a BAT file:\r\n/c for %x in (%temp%=%cd%) do for /f \"delims==\" %i in ('dir \"%x\\2021-03-11.lnk\" /s /b') do (more +540 /S %i |fi\r\nThe BAT is responsible for extracting the next JavaScript payload and executing it via wscript.exe on the\r\nendpoint.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 17 of 27\n\nThe JS code will extract an executable and a DLL-based stager to disk, followed by the execution of the\r\nexecutable, thus establishing persistence on the system and establishing communications with the C2.\r\nJS extracting the DLL-based Stager and activating it via the EXE-based loader.\r\nLNK-based infection chain:\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 18 of 27\n\nMaldocs\r\nIn some instances, we also observed the use of maldocs targeting Asian countries such as Taiwan to deploy stagers\r\nthat could execute meterpreter shellcode to communicate with the C2 server and execute the next payloads on the\r\ninfected system. The malicious macros contain two more components that are dropped to disk on the infected\r\nsystem. One component is a benign executable that is run by the macro to load the second component, a malicious\r\nDLL, which establishes persistence for the EXE and DLL via the registry Run key.\r\n/C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Acerodp /t REG_SZ /d \"Rundll32.exe\r\nSHELL32.DLL,ShellExec_RunDLL \"C:\\Users\\Public\\Libraries\\win\\Acrobat.exe\"\" /f\r\nThen, the DLL executes the shellcode embedded in it — a meterpreter reverse HTTP shell to download and\r\nexecute the next payload.\r\nExecutables embedded in the malicious macro.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 19 of 27\n\nThe macro code for instrumenting the EXE and side-loaded DLL.\r\nIn one instance, the maldoc was named \"海污法修正草案.ppt\". This roughly translates to \"Draft Amendment to\r\nMarine Pollution Law\" consisting of a politically themed lure targeting Taiwanese government entities.\r\nConclusion\r\nOver the years, Mustang Panda has evolved their tactics and implants to target a wide range of entities spanning\r\nmultiple governments in three continents, including the European Union,  the U.S., Asia and pseudo allies such as\r\nRussia. By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much\r\nlong-term access as possible to conduct espionage and information theft.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 20 of 27\n\nApart from Mustang Panda's tool of choice, PlugX, we've observed a steady increase in the use of intermediate\r\npayloads such as a variety of stagers and reverse shells. The group has also continuously evolved its delivery\r\nmechanisms consisting of maldocs, shortcut files, malicious archives and more recently seen downloaders starting\r\nwith 2022. Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social\r\nengineering to trick victims into infecting themselves.\r\nIn-depth defense strategies based on a risk analysis approach can deliver the best results in protecting against such\r\na highly motivated set of threat actors. However, this should always be complemented by a good incident response\r\nplan which has not only been tested with tabletop exercises, but also reviewed and improved every time it is put to\r\nthe test on real engagements.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 21 of 27\n\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nHashes\r\nbee9c438aced1fb1ca7402ef8665ebe42cab6f5167204933eaa07b11d44641bb\r\ndbdbc7ede98fa17c36ea8f0516cc50b138fbe63af659feb69990cc88bf7df0ad\r\n18230e0cd6083387d74a01bfc9d17ee23c6b6ea925954b3d3c448c0abfc86bd2\r\n19870dd4d8c6453d5bb6f3b2beccbbbe28c6f280b6a7ebf5e0785ec386170000\r\n1d484ada6d7273ca26c5e695a38cb03f75dee458bcb0f61ea81a6c87d35a0fa0\r\n668cc21387e01b87c438e778b3a08c964869ce2c7f22c59bcde6604112d77b2e\r\n8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac\r\neffd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1\r\n19870dd4d8c6453d5bb6f3b2beccbbbe28c6f280b6a7ebf5e0785ec386170000\r\n6019e6ee3dee2ec798667ccb34a2ab8d70bf5960d35f55157a9cb535b00b243f\r\n436d5bf9eba974a6e97f6f5159456c642e53213d7e4f8c75db5275b66fedd886\r\n82df9817d0a8dca7491b0688397299943d9279e848cdc4a5446d3159d8d71e6f\r\nca622bdc2b66f0825890d36ec09e6a64e631638fd1792d792cfa02048c27c69f\r\na0e1a9d45ab7addf3762d3b872f6b21e8ce41a7ff290f5b8566a39d9ca51b09a\r\na07cece1fa9b3c813c0b6880b24a6494a9db83e138102da3bce30ebff51909c0\r\n492fd69150d0cb6765e5201c144e26783b785242f4cf807d3425f8b8df060062\r\n2fc14451ef0ff0919995d46fedc7b7c7f9a9adbf9c40f6b36b480e637d581e6b\r\n94c5c12e03ce6694bdfb5053540f53942640e2aeea22f8ef7d4bc0066b594bca\r\n1aafbe976c3559b61531910c75f9bb90176641f565f9810a18dcde9564241164\r\n7ded20b7d2c0428641a6ac272c15b444b37bf833bbbea09dc931d649e6dc5277\r\n76da9d0046fe76fc28b80c4c1062b17852264348fd873b7dd781f39491f911e0\r\ne1dbe58393268d7ddabd4bed0cdedf0fbba85d4c3ef1300580ed4c74e147aa61\r\nfac8de00f031299f6c698b34534d6523428b544aad6a40fdc4b000a04ee82e7\r\n16dd94c228b5e2050d01edfe4849ca1388e9b3f811d39380f6ada3e75c69b353\r\n6fd9d745faa77a58ac84a5a1ef360c7fc1e23b32d49ca9c3554a1edc4d761885\r\n706e53480da95b17d0f9f0f5dc37a50c7abc3f954ce15b4733fd964b03910627\r\n537ac2f79db06191222ba7ae7b7843f063600f87971b8dffc4a31459d6a144b1\r\n3aa80dd8ffbc7b364234cdf0849b10bcead52004fc803a74afb1bd504d024305\r\naa8fb15d63bd22b2ff15a9f1b4f4422b3c6af026915168c81d7bb38c9be2ab78\r\n567fb0e6e6667ce1674cbdfd0ab26a8a3f68979256ef6680facf1d2d50a25dba\r\n1b520e4dea36830a94a0c4ff92568ff8a9f2fbe70a7cedc79e01cea5ba0145b0\r\n4c727e21312355cd9a9f0e1e0bb8fc3379f487968a832d00ffde9d5a04b8da9d\r\n76da9d0046fe76fc28b80c4c1062b17852264348fd873b7dd781f39491f911e0\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 22 of 27\n\n017ef960616182daa1ffabc5d5470340cc45bbd5ab3455d74987a3ae478fa118\r\n5851043b2c040fb3dce45c23fb9f3e8aefff48e0438dec7141999062d46c592d\r\ne2aff9d2f5e75bdc09712722d919f2261f638b0b4da878e405b86b927dcaf1e3\r\n537ac2f79db06191222ba7ae7b7843f063600f87971b8dffc4a31459d6a144b1\r\nec32ff0c049bd8812a35aeaaaae1f66eaf0ce8aefce535d142862ae89435c2e2\r\n930b7a798e3279b7460e30ce2f3a2deccbc252f3ca213cb022f5b7e6a25a0867\r\n6a5b0cfdaf402e94f892f66a0f53e347d427be4105ab22c1a9f259238c272b60\r\n0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681\r\ne3e3c28f7a96906e6c30f56e8e6b013e42b5113967d6fb054c32885501dfd1b7\r\n235752f22f1a21e18e0833fc26e1cdb4834a56ee53ec7acb8a402129329c0cdd\r\nafa06df5a2c33dc0bdf80bbe09dade421b3e8b5990a56246e0d7053d5668d917\r\nfc8b2392b92860c7ca669d5274b65498ebd9c3992149cf6727d935c9d0fb48bb\r\nc73c644aa671d76918b56f2ce0124a09156a521e293091b68e2763d2ed386e8f\r\n98f139983882e443116863f795c1df50dae5ceb971075914dfee264dc1502a09\r\n39f9157e24fa47c400d4047c1f6d9b4dbfd067288cfe5f5c0cc2e8449548a6e8\r\ne4766d7e0c13f42cf1ce56efa07cee57889526f398efaae948ce487410d105f6\r\ncab5fa13c8239e97c15b04b27f9b70fb8b561d31935af7b0680bb80aec12c813\r\naec41c4f461cd08efe1390c8de513e54f766a5903c3c1f67ac4a9c93a3213c6b\r\n71d09abda31f0d7c7161cf6f371305023594bb3ef146aa9fbeab1f717885dd58\r\n8a6da7e23267cadb1b8ec3996d662cbc71342f308ca6b65f545ce78612dfc9a7\r\n86678ad613b4d05a8ad3013323875daa91c69b64411603187dd2bcc595d97a8e\r\n033786a482641aa901a28a3e3c314dbe86723906cea15147629167d8364907f7\r\n0492124645a667b1ca39002aff4b696871f12f7f21ab0a75816aaeb53ed2f78b\r\nce86d647df2da33c5992c790ddc0d302b56af8a0d7b1433639c235ff03bf09ad\r\ncf7803d1546aab172d17345212cc4de9c2d98a9817c8f9c3770e64744e15e261\r\n1d3e2eeaec0707e531593aa9aadaee0ee7757b67de43eae924fad122e86f60a0\r\naa9a8f143cf61118c96a3bf226c77a05072ccbef15e990c65e0a118eccbb47e6\r\nc5455b708c1a1afe61aa5cff80dff19f07972a5b047fd398536c8377dc68a19b\r\n1e629fe7c8911a9adbde2e35af4f6f9e60ee538638c82edbcbd7cce5ad2ff4ab\r\n36afa5b3133667f2577687b3e83d7f6c009dd65864c20a408d860b3c6678df2a\r\n71d09abda31f0d7c7161cf6f371305023594bb3ef146aa9fbeab1f717885dd58\r\n3407c5d054491ecf28ea10ec24e30e75915ba6fd3b2656955e94a89b67e0567e\r\n67d6267e0ee81e00f97b25a892d10bd9eeb68179eb7e1b9236fcb01ec3f50beb\r\ne92e49b7af397f6f41a225b8778c6812f78c87f4388f527e6efda0dbe2b49251\r\n2fd6e2ae0e4d78eef9d36376ac39768ec14e3bf8fe39c3ef6a347511b2cd55b1\r\na1a61052eac5fbe98f28ed6b3ed38a66d333aed3f14326bcd42d0fddcc18c519\r\na3e5473eb60e8dba6b97e626288b6742e141fa8a393ec7efeb7993449f84b14f\r\nec60594018da8717fa6b8d93fb919f08e7a8b07401fbce1abe7982c959f78424\r\nfcf4efa82d477c924d42cc6b71aa672ab2381ca256769925ae34dabe2e77e025\r\nb9adc1433ef7c6fee4d36f73b79744ad611d51a8e039d4c384dd453e33452d0f\r\n9b7615b4c2c6ebdd283afb1dae4d951b7ef928939b98ffbe7dea49cc5c5eee02\r\n951b09c559fdc1c447f3dc63870b5244c2b715d728e1318a62db64bc17dcb85d\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 23 of 27\n\n4743ccff0b5dbc34027165e177143018b9ee9e3232496ca5d4fa5cd56b5646f6\r\n302ae30d464d6958510dcc463e3c3d8339e38bf6ff84de6cd84866303d34c8a5\r\n4d01691573542e1676fc09102ac3120d0eec37b6791f32ec103eb0d0ee2581c1\r\nf863dab6504fa3c4c9f7534d264d13db95ea96679689cb7e5d0460eed8f59a37\r\n61a194cd413614e5ac91d648a87ff6b7e78d2130f54eff8a05c4c9608a7ac3aa\r\n2bce6eb2839569ba077e24468259aa2678677275c632a0d276dcb14566cc6fcf\r\n4cf38636b0fd129c5cbb4be9cd2c8f7f401529cf17ad6853ff83a2fe36ca533b\r\n150525f4490f43877f1281aaaccc9bce78452d556326105fb77db6156095c883\r\n0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681\r\n24437d65bee4874fba99a2d57bf050ba719a69518160cebafbd8f7441368093a\r\nd1f848a8477f171430b339acc4d0113660907705d85fa8ea4fbd9bf4ae20a116\r\nacfd58369c0a7dbc866ad4ca9cb0fe69d017587af88297f1eaf62a9a8b1b74b4\r\n5928048ed1d76df1ae4f3ede0e3da0b0006734f712a78036e6f4b6a78c05f0c6\r\na81719f585a9f40e4304c6ceb2292826676c2d3f7342e88b21f41139743436aa\r\n02ec5c7a7ab17540164b4b499fa095e80113123b3ccba6dda59b5f7021b93e6b\r\nc3d113bfc14a7148419d506e9bd8d44d897f3c71f8d81a63e3b2f4d843ad1c4c\r\n1d72fdb8257a6ec78367f2512ceb18be480860320986845943776959cb4d3dd0\r\n8f07bd408838182a0328ea44156ad47dd5b6ccdcfbd53209717d555ed69adedc\r\n03c5f4cd4a0889f436cd1ac2634b2c76732ce7f280e294ab3a19e8c1e957f101\r\nf76f1657205d7042fccfc811077bbada92c0fef735f158da35e7825da1cc6bec\r\n92f1e5424d53e3f4516d4c831afe3d64e88ed265ec143fb32717f2323836d61b\r\n0b949d6e2078771ed65ce1b81ae9b5619d24317846a4e67bb9494975049bf728\r\n377d65bdbf2b323ef9b497b1d3e2f93521a9ce57d4f2d6c296b048ee1390173e\r\n962bf22710ff07977e3ddad66117094a2cf1c0aefca3d7ed4ba947c62ee36491\r\nbb2990a1bbc417cfec40d5f1a6a8b22cac0ef21aed869dd8503e28573cf84401\r\nc26719156e644cee5e95133d31b30b80147494313e665d4243954435511f5c11\r\ne751834f0dcd0cb1411142761fcb940c7ac18e0b851c625ee0bca38db170a17a\r\ne3dc7be52151828d3be43fa6016bc7c134230315f0f2d3f2fdeb852b494da357\r\n3a2aae4ad99f8aba7ff558c5b6ccee0366bcd8c69bc16eeb0aeb5f4f58340f0d\r\na6057292247d928e6adcda5a48983d8702372ce195fc50ea4496f67c6ca57e26\r\nce59d8cf4b6eca3420438e05b059d6f61cc484e6fb00b1b2a7033bf36446e683\r\n508d6dd6c45027e3cda3d93364980f32ffc34c684a424c769954d741cf0d40d0\r\ne0fc2cf31a0fd7f4bfa1ba453fd8f272784330de2ecba80104455252a931789b\r\n2aeef18abf22b233de5515a95cdca5aa3cbc6c21e8d2f83a68214e7272f9d947\r\n508d6dd6c45027e3cda3d93364980f32ffc34c684a424c769954d741cf0d40d0\r\nf80d84a3f951a1b62d92a5a2799b149ed0aaca292364f101c1273f135c811565\r\n887345540f1bf31c40755edcda2e3dd9fe640122fc9020f3873c895daa2378bf\r\n4f29180005f3c2e776d1854722270287111ec073ab80dfc1b4dc1bc0d9337ddf\r\neef56bfc68959c6eaa66ab6abcaaf8fb54aa5b5a7da0866d97a1effeae0952b8\r\na265e0db5fe311dac60171e27011087bd64b467eb442986f343fe07410e8bf46\r\nd7590ee95a46bc1ca7973a8f09efe23a5b00e54d6e65b95cb16acd17a0f127e8\r\nef3966d15af3665ee5126df394cefdf6f78fce77db7a70d5f35c19c234715035\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 24 of 27\n\nef54e266f8fc9eb97d71c76f2a53b65bef83fe5fc270fbfe83463f83678ff44c\r\ndf84d6c284dd39c2bfed6f8eb26149a4154396c27de50595ed5d80b428930dcd\r\nff1dcab09f24a4c314af3ee829f80127e5b54f5be2a13e812617f77d0deeef57\r\n5009f65e7a8d84a9955d5adbdb86107b15304b1061bdaba5dd2ac2293dd8e6cb\r\nIPs\r\n101[.]36[.]125[.]203\r\n103[.]159[.]132[.]70\r\n103[.]15[.]28[.]145\r\n103[.]15[.]28[.]208:443\r\n103[.]15[.]28[.]208:80\r\n103[.]200[.]97[.]150\r\n103[.]75[.]190[.]50\r\n103[.]91[.]64[.]134\r\n107[.]167[.]64[.]4:443\r\n107[.]178[.]71[.]211\r\n110[.]42[.]64[.]64:24680\r\n155[.]94[.]200[.]209\r\n155[.]94[.]200[.]212\r\n176[.]118[.]167[.]36\r\n185[.]239[.]226[.]17\r\n18[.]138[.]107[.]235\r\n202[.]58[.]105[.]38:80\r\n45[.]248[.]87[.]162\r\n45[.]43[.]50[.]197\r\n46[.]8[.]198[.]134\r\n5[.]206[.]224[.]167\r\n61[.]38[.]252[.]166\r\n86[.]105[.]227[.]115\r\n92[.]118[.]188[.]78\r\n92[.]118[.]188[.]78:443\r\n95[.]217[.]1[.]81\r\nURLs\r\n123[.]51[.]185[.]75/jquery-3[.]3[.]1[.]slim[.]min[.]js\r\nfuckeryoumm[.]nmb[.]bet\r\nhxxp://103[.]107[.]104[.]19/2022/eu[.]docx\r\nhxxp://103[.]107[.]104[.]19/DocConvDll[.]dll\r\nhxxp://103[.]107[.]104[.]19/FontEDL[.]exe\r\nhxxp://103[.]107[.]104[.]19/FontLog[.]dat\r\nhxxp://103[.]15[.]28[.]145:6666/maps/overlaybfpr?q=san%20diego%20ca%20zoo\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 25 of 27\n\nhxxp://103[.]75[.]190[.]50:443/maps/overlaybfpr?q=san%20diego%20ca%20zoo\r\nhxxp://103[.]85[.]24[.]158/eeas[.]dat\r\nhxxp://107[.]178[.]71[.]211/eu/DocConvDll[.]dll\r\nhxxp://107[.]178[.]71[.]211/eu/FontEDL[.]exe\r\nhxxp://107[.]178[.]71[.]211/eu/FontLog[.]dat\r\nhxxp://107[.]178[.]71[.]211/eu/Report[.]pdf\r\nhxxp://155[.]94[.]200[.]206/images/branding/newtap[.]css\r\nhxxp://155[.]94[.]200[.]206/resources/Invitation[.]jpg\r\nhxxp://155[.]94[.]200[.]209/assets/mail/fonts/v1/fonts/last[.]jpg\r\nhxxp://155[.]94[.]200[.]211/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/server[.]gif\r\nhxxp://155[.]94[.]200[.]211/news/live/world-europe-60830013\r\nhxxp://45[.]154[.]14[.]235/2022/COVID-19%20travel%20restrictions%20EU%20reviews%20list%20of%20third%20countries[.]doc\r\nhxxp://45[.]154[.]14[.]235/2022/PotPlayer[.]dll\r\nhxxp://45[.]154[.]14[.]235/2022/PotPlayer[.]exe\r\nhxxp://45[.]154[.]14[.]235/2022/PotPlayerDB[.]dat\r\nhxxp://45[.]154[.]14[.]235/2023/PotPlayer[.]dll\r\nhxxp://45[.]154[.]14[.]235/2023/PotPlayer[.]dll\r\nhxxp://45[.]154[.]14[.]235/2023/PotPlayer[.]exe\r\nhxxp://45[.]154[.]14[.]235/2023/PotPlayerDB[.]dat\r\nhxxp://45[.]154[.]14[.]235/mfa/Council%20conclusions%20on%20the%20European%20security%20situation[.]pdf\r\nhxxp://45[.]154[.]14[.]235/PotPlayer[.]dll\r\nhxxp://45[.]154[.]14[.]235/PotPlayer[.]exe\r\nhxxp://45[.]154[.]14[.]235/PotPlayerDB[.]dat\r\nhxxp://45[.]154[.]14[.]235/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece[.]pdf\r\nhxxp://95[.]217[.]1[.]81/maps/overlayBFPR\r\nhxxp://95[.]217[.]1[.]81/maps/overlaybfpr?q=san%20diego%20ca%20zoo\r\nhxxp://upespr[.]com/PotPlayer[.]exe\r\nhxxp://upespr[.]com/PotPlayerDB[.]dat\r\nhxxp://upespr[.]com/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece[.]pdf\r\nhxxp://www[.]zyber-i[.]com/europa/2022[.]zip\r\nhxxps://45[.]154[.]14[.]235/2023/EU\r\nhxxps://45[.]154[.]14[.]235/2023/PotPlayer[.]dll\r\nhxxps://45[.]154[.]14[.]235/2023/PotPlayer[.]exe\r\nhxxps://45[.]154[.]14[.]235/2023/PotPlayerDB[.]dat\r\nhxxps://drive[.]google[.]com/uc?id=1BG0F1NdkPZOY6w2Y0YEs6nMGYLvSJiQo\u0026export=download\r\nhxxps://drive[.]google[.]com/uc?id=1ITPqIFuWOQZ08RmMUDMmzWpg69_EbLTO\r\nhxxps://drive[.]google[.]com/uc?id=1NsauYfE3NaFmtI0M99RAe3DmOxO1bBak\u0026export=download\r\nhxxps://drive[.]google[.]com/uc?id=1trg9KJtKJUkKHgP57AhJSirw83-nIwyu\u0026export=download\r\nhxxps://president-office[.]gov[.]mm/sites/default/files/font/All-in-One_Pyidaungsu_Font[.]zip\r\nhxxps://www[.]president-office[.]gov[.]mm/sites/default/files/font/All-in-One_Pyidaungsu_Font[.]zip\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 26 of 27\n\nSource: https://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nhttps://blog.talosintelligence.com/mustang-panda-targets-europe/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://blog.talosintelligence.com/mustang-panda-targets-europe/" ], "report_names": [ "mustang-panda-targets-europe" ], "threat_actors": [ { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434425, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d08e3c026f47ba60d151e46961e6091f009bff9d.pdf", "text": "https://archive.orkl.eu/d08e3c026f47ba60d151e46961e6091f009bff9d.txt", "img": "https://archive.orkl.eu/d08e3c026f47ba60d151e46961e6091f009bff9d.jpg" } }