Home/ Threat Actors/ Mustang Panda

🇨🇳Mustang Panda

🇨🇳 Mustang Panda is a tracked threat actor in the Clankerusecase corpus. Attributed to CN. Primary motivation: State. We map 26 detection use cases to this actor across 113 MITRE ATT&CK techniques, with 3 threat-intel articles citing them. Active in our corpus from 2025-11-06 to 2026-03-19.

crit 3

View full actor card → All threat actors MITRE ATT&CK group spec (G0129) ↗

26Use cases

3Articles

113Techniques

5IOCs

Known aliases

Mustang PandaTA416RedDeltaEarth PretaBronze PresidentStately TaurusBRONZE PRESIDENTSTATELY TAURUSFIREANTCAMARO DRAGONEARTH PRETAHIVE0154TWILL TYPHOONTANTALUMLUMINOUS MOTHUNC6384TEMP.HexRed LichClumsyToad

Top techniques

T1190 · Exploit Public-Facing Application T1204.002 · Malicious File T1566 · Phishing

All other tracked techniques

T1001.003 · Protocol or Service Impersonation T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1003.003 · NTDS T1003.006 · DCSync T1014 · Rootkit T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1021.002 · SMB/Windows Admin Shares T1027 · Obfuscated Files or Information T1027.002 · Software Packing T1027.005 · Indicator Removal from Tools T1027.007 · Dynamic API Resolution T1027.009 · Embedded Payloads T1027.012 · LNK Icon Smuggling T1027.016 · Junk Code Insertion T1036.005 · Match Legitimate Resource Name or Location T1036.007 · Double File Extension T1036.008 · Masquerade File Type T1037.001 · Logon Script (Windows)T1041 · Exfiltration Over C2 Channel T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol T1049 · System Network Connections Discovery T1052.001 · Exfiltration over USB T1053.005 · Scheduled Task T1055 · Process Injection T1057 · Process Discovery T1059 · Command and Scripting Interpreter T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.007 · JavaScript T1068 · Exploitation for Privilege Escalation T1069.002 · Domain Groups T1070 · Indicator Removal T1070.004 · File Deletion T1070.006 · Timestomp T1071 · Application Layer Protocol T1071.001 · Web Protocols T1072 · Software Deployment Tools T1074.001 · Local Data Staging T1082 · System Information Discovery T1083 · File and Directory Discovery T1087.002 · Domain Account T1091 · Replication Through Removable Media T1095 · Non-Application Layer Protocol T1102 · Web Service T1105 · Ingress Tool Transfer T1106 · Native API T1119 · Automated Collection T1127.001 · MSBuild T1129 · Shared Modules T1140 · Deobfuscate/Decode Files or Information T1176.002 · IDE Extensions T1195.002 · Compromise Software Supply Chain T1203 · Exploitation for Client Execution T1204.001 · Malicious Link T1204.004 · Malicious Copy and Paste T1205 · Traffic Signaling T1218 · System Binary Proxy Execution T1218.004 · InstallUtil T1218.005 · Mshta T1219 · Remote Access Tools T1219.001 · IDE Tunneling T1219.002 · Remote Desktop Software T1486 · Data Encrypted for Impact T1489 · Service Stop T1490 · Inhibit System Recovery T1505.003 · Web Shell T1518 · Software Discovery T1543.003 · Windows Service T1546.003 · Windows Management Instrumentation Event Subscription T1547.001 · Registry Run Keys / Startup Folder T1553.002 · Code Signing T1555.003 · Credentials from Web Browsers T1557 · Adversary-in-the-Middle T1560.001 · Archive via Utility T1560.003 · Archive via Custom Method T1562.001 · T1562.001 T1562.004 · T1562.004 T1562.006 · T1562.006 T1562.009 · T1562.009 T1564.001 · Hidden Files and Directories T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1567.002 · Exfiltration to Cloud Storage T1569.002 · Service Execution T1572 · Protocol Tunneling T1573.001 · Symmetric Cryptography T1573.002 · Asymmetric Cryptography T1574.001 · DLL T1574.002 · T1574.002 T1574.005 · Executable Installer File Permissions Weakness T1583.001 · Domains T1583.006 · Web Services T1585.002 · Email Accounts T1586.002 · Email Accounts T1587.001 · Malware T1588.002 · Tool T1588.003 · Code Signing Certificates T1588.004 · Digital Certificates T1593 · Search Open Websites/Domains T1598.003 · Spearphishing Link T1608 · Stage Capabilities T1608.001 · Upload Malware T1622 · Debugger Evasion T1654 · Log Enumeration T1678 · Delay Execution

Detection use cases (26)

Mustang Panda PlugX DLL side-loading via co-located signed loader in user-writable path AI · profile SΣDD Mustang Panda PlugX USB worm propagation (removable-drive LNK + hidden loader copy) AI · profile SDD BYOVD: Genshin Impact mhyprot.sys driver dropped/loaded outside legitimate game install (Embargo evil-mhyprot-cli) Bespoke EDRSilencer-style WFP filter blocking outbound traffic from named EDR binaries Bespoke EDR-Freeze: WerFaultSecure.exe abused to suspend AV/EDR processes via MiniDumpWriteDump race Bespoke Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal PowerShell encoded / obfuscated command Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal Article-specific behavioural hunt — EDR killers explained: Beyond the drivers Internal Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match

Threat-intel articles (3)

crit EDR killers explained: Beyond the drivers · 2026-03-19

crit PlugX Meeting Invitation via MSBuild and GDATA · 2026-02-26

crit ESET APT Activity Report Q2 2025–Q3 2025 · 2025-11-06

Tracked indicators

Domains (5)

decoorat.net decoraat.net gesecole.net onedow.gesecole.net onedown.gesecole.net

CVEs (2)

CVE-2024-42009 CVE-2025-8088