{ "id": "9f2f260a-9416-4c9c-a014-7d9a447bbf6c", "created_at": "2026-04-06T00:06:46.12599Z", "updated_at": "2026-04-10T13:12:38.662027Z", "deleted_at": null, "sha1_hash": "fdc41832cf63ccbc10f3926d003f1af756935215", "title": "Mustang Panda PlugX - 45.251.240.55 Pivot", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 409757, "plain_text": "Mustang Panda PlugX - 45.251.240.55 Pivot\r\nPublished: 2021-05-17 · Archived: 2026-04-05 14:46:38 UTC\r\nFamily PlugX\r\nThreat Actor Mustang Panda\r\nEncrypted 589e87d4ac0a2c350e98642ac53f4940fcfec38226c16509da21bb551a8f8a36\r\nDecrypted dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4\r\nSummary\r\nOn 2021-05-01 another encrypted Mustang Panda PlugX binary was uploaded to VirusTotal.\r\nLike the other samples, this encrypted PlugX file used a 10 byte prepended XOR key (a null byte seperates the\r\nkey from the encrypted contents).\r\n10 Byte XOR Key: 0x47, 0x45, 0x48, 0x47, 0x7a, 0x67, 0x5a, 0x6e, 0x75, 0x6d\r\nThe decrypted file continues to embed shell code in the MZ header. The video below shows the decryption\r\nprocess and the embedded shell code at the begining of the file.\r\nhttps://blog.xorhex.com/blog/mustangpandaplugx-1/\r\nPage 1 of 5\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nThis instance of PlugX checks for XXXXXXXX at the start of the config section. The RedDelta varient uses\r\n######## instead of 8 Xs.\r\nhttps://blog.xorhex.com/blog/mustangpandaplugx-1/\r\nPage 2 of 5\n\nThe extracted config contains values seen in prior Mustang Panda PlugX files.\r\n{\r\n \"config\": {\r\n \"cncs\": [\r\n {\r\n \"num\": 1,\r\n \"host\": \"45.251.240.55\",\r\n \"port\": 443\r\n },\r\nhttps://blog.xorhex.com/blog/mustangpandaplugx-1/\r\nPage 3 of 5\n\n{\r\n \"num\": 1,\r\n \"host\": \"45.251.240.55\",\r\n \"port\": 8080\r\n },\r\n {\r\n \"num\": 1,\r\n \"host\": \"45.251.240.55\",\r\n \"port\": 8080\r\n },\r\n {\r\n \"num\": 1,\r\n \"host\": \"45.251.240.55\",\r\n \"port\": 443\r\n }\r\n ],\r\n \"mutex\": \"eZlapRxpEQvscgtWBqqr\",\r\n \"sleep\": 1000,\r\n \"folder\": \"AAM UpdatesBif\"\r\n },\r\n \"extracted_from_sha256\": \"dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4\"\r\n}\r\nLet’s see what other sample we have that are similar.\r\nUsing data points extracted from our sample set, I filtered down the related samples based upon the ones with a\r\nmatching IP addresses. The interactive visualization below shows the related samples and any property extracted\r\nwhere it was used by two or more samples.\r\nIP Pivot\r\nContent Loading..\r\nClick a Node to Load Details Below\r\nWe identified 40 additional PlugX samples upon expanding our pivot to include samples that also matched on\r\nthese properties. Theese samples span across both the XXXXXXXX and ######## varients.\r\nExpanded IP Pivot\r\nContent Loading..\r\nClick a Node to Load Details Below\r\nThis actually encompasses all of the MustangPanda/RedDetla PlugX samples I’ve in my collection at this time.\r\nhttps://blog.xorhex.com/blog/mustangpandaplugx-1/\r\nPage 4 of 5\n\nNote: I’m still building out my collection, so overtime it will be apparent which property values are worth\r\npivoting on and which ones are not.\r\nSource: https://blog.xorhex.com/blog/mustangpandaplugx-1/\r\nhttps://blog.xorhex.com/blog/mustangpandaplugx-1/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.xorhex.com/blog/mustangpandaplugx-1/" ], "report_names": [ "mustangpandaplugx-1" ], "threat_actors": [ { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434006, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fdc41832cf63ccbc10f3926d003f1af756935215.pdf", "text": "https://archive.orkl.eu/fdc41832cf63ccbc10f3926d003f1af756935215.txt", "img": "https://archive.orkl.eu/fdc41832cf63ccbc10f3926d003f1af756935215.jpg" } }