>samit_hota
Back to adversary profiles
G0129HighActive

Mustang Panda (G0129): China-Aligned Cyber Espionage Group Profile

Samit Hota·
Suspected Origin
China
Motivation
Espionage, Intelligence Gathering (Political, Military, Economic)
Aliases
TA416, RedDelta, BRONZE PRESIDENT, STATELY TAURUS, FIREANT, CAMARO DRAGON, EARTH PRETA, HIVE0154, TWILL TYPHOON, TANTALUM, LUMINOUS MOTH, UNC6384, TEMP.Hex, Red Lich, ClumsyToad
Target Sectors
Government, Diplomatic, NGOs, Think Tanks, Religious Institutions, Telecom, Energy, Transportation, Aviation, Financial Services, Academia
Associated Malware
PlugX, ToneShell, RoyalRoad, ShadowPad, Bookworm, FakeTLS, StarProxy, SplatCloak, PAKLOG, CorKLOG, HIUPAN, LOTUSLITE, Yokai, FDMTP, Cobalt Strike, Poison Ivy
#threat-actor#g0129

Overview

Mustang Panda, also tracked as TA416, RedDelta, BRONZE PRESIDENT, and Earth Preta, is a highly active and adaptive cyber espionage threat actor widely attributed to the People’s Republic of China (PRC). This group has been conducting sophisticated operations since at least 2012, with a consistent focus on gathering diplomatic, political, military, and economic intelligence that aligns directly with Beijing’s strategic interests.

Their targets are diverse but strategically chosen, primarily spanning government ministries (foreign affairs, defense, interior), diplomatic missions, intelligence agencies, non-governmental organizations (NGOs), think tanks, and religious institutions. Mustang Panda has cast a wide net geographically, impacting entities across Southeast Asia (notably Myanmar, Philippines, Thailand, Vietnam, and Taiwan), European Union nations, the United States, and countries with Tibetan or Uyghur diaspora. Other significantly targeted regions include Russia, Mongolia, Pakistan, India, Japan, and Australia. The group’s operational tempo is consistently high, and they are known for rapidly integrating new tools and tactics, often leveraging current geopolitical events and public vulnerabilities to craft highly effective spear-phishing lures.

Tactics & Techniques

Mustang Panda’s operational methodology is characterized by a blend of well-honed initial access vectors and sophisticated post-exploitation techniques designed for stealth and persistence. Spear-phishing remains their primary initial access method. Lures are meticulously crafted, often themed around current affairs, political events, or sensitive geopolitical topics, appearing as legitimate government reports or news articles. These phishing attempts typically involve malicious attachments (ZIP, RAR, LNK files with PDF decoys) or embedded links that direct victims to malware hosted on legitimate cloud services such as Google Drive, Dropbox, Microsoft Azure, or even Zoho WorkDrive. This technique helps them bypass initial security checks and lends an air of legitimacy to their malicious payloads.

Beyond spear-phishing, Mustang Panda also employs USB-based propagation, utilizing malware like the SnakeDisk worm. This method is particularly effective for breaching highly secured or air-gapped environments. Once initial access is gained, a common tactic is DLL sideloading, where legitimate, signed executables are used to load malicious DLLs, making the execution appear benign. They maintain persistence through various means, including creating scheduled tasks and modifying registry run keys with names that blend in with legitimate system entries.

For defense evasion, Mustang Panda uses encryption for payloads (XOR, RC4) and C2 communications (RC4, AES, XOR with 0x5a, LZO, FakeTLS), protocol impersonation (mimicking legitimate TLS traffic), and obfuscation techniques. They have also demonstrated capabilities to bypass Endpoint Detection and Response (EDR) solutions, as seen with their SplatCloak driver, which disables callbacks of antivirus software like Windows Defender and Kaspersky at the kernel level. Exploitation of client-side vulnerabilities, such as CVE-2017-0199 (Microsoft Office RTF files) and more recently CVE-2021-40444 (MSHTML flaw), is another recurrent tactic. The group is known for leveraging legitimate tools and living-off-the-land binaries, such as MAVInject.exe and Setup Factory, to inject payloads and maintain control, further complicating detection. They also utilize geofencing mechanisms to restrict payload delivery, ensuring their malware only activates on devices with specific IP addresses (e.g., within Thailand).

Notable Campaigns

Mustang Panda has been linked to numerous significant campaigns over the years, demonstrating their persistent and adaptive nature:

  • RedDelta Modified PlugX Infection Chain Operations (July 2023 - December 2024): This campaign targeted European diplomatic entities, notably leveraging malicious attachments in spear-phishing emails to deliver an evolved LNK-to-PowerShell-to-PlugX infection chain.
  • Southeast Asian Government Infiltration (2021-2023): Operating under aliases like Stately Taurus, Mustang Panda breached a Southeast Asian government, maintaining long-term access and exfiltrating sensitive documents and credentials using ToneShell and ShadowPad.
  • Targeting the Tibetan Community (2025): Spear-phishing emails centered around events like the Dalai Lama’s 90th birthday and the World Parliamentarians’ Convention on Tibet were used to infect activists and policy workers, deploying Claimloader, Pubload, and Pubshell with FakeTLS for C2.
  • Myanmar Campaigns with Enhanced Tooling (2025): The group deployed a refreshed toolkit including ToneShell, StarProxy, keyloggers (PAKLOG, CorKLOG), and the EDR-evasion driver SplatCloak against Myanmar-based NGOs and government bodies.
  • USB Worm Campaign in APAC (2024): The HIUPAN worm facilitated stealthy propagation in countries like Vietnam, Cambodia, and the Philippines, followed by the deployment of PUBLOAD and PlugX.
  • RedDelta Campaign Targeting the Vatican (2020): This campaign used Catholic-themed lures to infect diplomatic and religious personnel in Hong Kong and the Vatican with PlugX, utilizing DLL sideloading.
  • Targeting Royal Thai Police (2025): Cado Security Labs (now Darktrace) identified a campaign using disguised LNK files and PDF decoys to deliver the Yokai backdoor, consistent with Mustang Panda’s tradecraft. Another 2025 campaign, linked to Thailand-Cambodia border conflicts, involved a geo-fenced SnakeDisk USB worm that only activated in Thailand and deployed the Yokai backdoor.
  • Indian Government and Hydropower Targets (June 2026): Acronis observed two campaigns abusing Zoho WorkDrive as a dead drop for C2 and exfiltration, deploying new malware like SHARDLOADER, MINIRECON (a ToneShell variant), and ZOHOMURK.
  • Asia-Pacific and Japan Espionage (Late 2025 - April 2026): Darktrace linked Mustang Panda to an updated FDMTP backdoor, delivered via DLL sideloading and CDN impersonation, targeting networks in the region, including the finance sector.
  • Operation Dianxun (October 2025): This espionage campaign targeted telecommunications companies and focused on 5G technology, using spear-phishing with policy-themed lures and delivering Cobalt Strike beacons.

Associated Malware & Tools

Mustang Panda possesses a dynamic and expanding arsenal of malware and custom tools:

  • PlugX/Korplug: A highly favored and customized backdoor, often capable of spreading via USB connections and used for full remote control, file exfiltration, and keystroke logging.
  • ToneShell: A custom backdoor that has undergone multiple updates, serving as a delivery vehicle for PlugX and offering remote shell execution and file download capabilities. Recent variants (MINIRECON) use WebSocket for C2 and include advanced evasion features.
  • RoyalRoad: A weaponizer tool used to create malicious Rich Text Format (RTF) files that exploit Microsoft Office vulnerabilities to install initial payloads.
  • SnakeDisk: A USB worm designed for propagation in secure or air-gapped environments, often with geo-fencing capabilities to target specific regions.
  • Yokai: A full-featured remote access trojan (RAT) deployed by SnakeDisk for persistent access, remote command execution, file system manipulation, and data exfiltration.
  • LOTUSLITE: A backdoor first observed in 2025, used for continued operations after the neutralization of some PlugX infrastructure. It has been seen implementing kernel-mode rootkits for hiding artifacts.
  • FakeTLS: A custom communications protocol used to mimic legitimate TLS traffic, enabling C2 commands and responses to blend with normal network activity.
  • StarProxy: A lateral movement tool that facilitates internal routing within a compromised network.
  • SplatCloak: A driver used to evade EDR solutions by disabling callbacks of antivirus software.
  • Keyloggers: Custom keyloggers such as PAKLOG and CorKLOG are used to capture keystrokes and clipboard data.
  • FDMTP: An obfuscated .NET backdoor, with an updated variant (version 3.2.5.1) observed in recent campaigns, using custom TCP for communication.
  • Other tools include Cobalt Strike (stager and beacon), Poison Ivy (historically), ShadowPad, Bookworm, custom loaders, and various batch/PowerShell scripts.

Current Status

Mustang Panda remains an exceptionally active, persistent, and adaptive threat actor, continuously evolving its tools and techniques. Despite an international law enforcement operation in early 2025 that reportedly neutralized some of their PlugX infrastructure, the group demonstrated strategic resilience by quickly retooling with new backdoors like LOTUSLITE and SnakeDisk, and by continuously updating existing malware like ToneShell. Recent activity, observed throughout 2025 and into 2026, includes targeted campaigns against the Tibetan community, Myanmar, Thai government and military entities, Indian government and hydropower sectors, and various organizations across the Asia-Pacific and Japan. Their consistent focus on long-term intelligence collection, combined with their adaptability in adopting new evasion techniques and leveraging current geopolitical contexts for their lures, indicates that Mustang Panda will continue to pose a significant and evolving cyber espionage threat for the foreseeable future.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call