Threat Actor Profile
High
APT
Description
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. (Citation: BlackBerry MUSTANG PANDA October 2022)(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)(Citation: Zscaler)
Confidence Score
Known Aliases
Mustang Panda
TA416
RedDelta
BRONZE PRESIDENT
STATELY TAURUS
FIREANT
CAMARO DRAGON
EARTH PRETA
HIVE0154
TWILL TYPHOON
TANTALUM
LUMINOUS MOTH
UNC6384
TEMP.Hex
Red Lich
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (85)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Mustang Panda',
'TA416',
'RedDelta',
'BRONZE PRESIDENT',
'STATELY TAURUS',
'FIREANT',
'CAMARO DRAGON',
'EARTH PRETA',
'HIVE0154',
'TWILL TYPHOON',
'TANTALUM',
'LUMINOUS MOTH',
'UNC6384',
'TEMP.Hex',
'Red Lich'],
'created': '2021-04-12T15:56:28.861Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Mustang Panda](https://attack.mitre.org/groups/G0129) is a '
'China-based cyber espionage threat actor that has been '
'conducting operations since at least 2012. [Mustang '
'Panda](https://attack.mitre.org/groups/G0129) has been known '
'to use tailored phishing lures and decoy documents to deliver '
'malicious payloads. [Mustang '
'Panda](https://attack.mitre.org/groups/G0129) has targeted '
'government, diplomatic, and non-governmental organizations, '
'including think tanks, religious institutions, and research '
'entities, across the United States, Europe, and Asia, with '
'notable activity in Russia, Mongolia, Myanmar, Pakistan, and '
'Vietnam. (Citation: BlackBerry MUSTANG PANDA October '
'2022)(Citation: Eset PlugX Korplug Mustang Panda March '
'2022)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: '
'Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: '
'Secureworks BRONZE PRESIDENT December 2019)(Citation: DOJ '
'Affidavit Search and Seizure PlugX December 2024)(Citation: '
'EclecticIQ Mustang Panda PlugX)(Citation: ATTACKIQ MUSTANG '
'PANDA TONESHELL March 2023)(Citation: Crowdstrike MUSTANG '
'PANDA June 2018)(Citation: Palo Alto Networks, Unit '
'42)(Citation: Sophos PlugX September 2022)(Citation: Sophos '
'Mustang Panda PLUGX)(Citation: Zscaler)',
'external_references': [{'external_id': 'G0129',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0129'},
{'description': '(Citation: 2022 '
'November_TrendMicro_Earth '
'Preta_Toneshell_Pubload)(Citation: '
'Trend Micro MUSTANG PANDA PUBLOAD '
'HIUPAN SEPTEMBER 2024)(Citation: '
'Trend Micro Mustang Panda Earth '
'Preta Toneshell February '
'2025)(Citation: Trend Micro Mustang '
'Panda Earth Preta TONESHELL June '
'2023)',
'source_name': 'EARTH PRETA'},
{'description': '(Citation: Broadcom)',
'source_name': 'FIREANT'},
{'description': '(Citation: Crowdstrike MUSTANG PANDA '
'June 2018)',
'source_name': 'Mustang Panda'},
{'description': '(Citation: Google Threat '
'Intelligence Group MUSTANG PANDA '
'PLUGX August 2025)',
'source_name': 'UNC6384'},
{'description': '(Citation: Google Threat '
'Intelligence Group MUSTANG PANDA '
'PLUGX August 2025)',
'source_name': 'TEMP.Hex'},
{'description': '(Citation: HorseShell)',
'source_name': 'CAMARO DRAGON'},
{'description': '(Citation: IBM MUSTANG PANDA PUBLOAD '
'CLAIMLOADER JUNE 2025)(Citation: '
'2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG '
'PANDA)',
'source_name': 'HIVE0154'},
{'description': '(Citation: Microsoft Naming '
'Conventions Frequently Updated)',
'source_name': 'TWILL TYPHOON'},
{'description': '(Citation: Microsoft Naming '
'Conventions Frequently Updated)',
'source_name': 'TANTALUM'},
{'description': '(Citation: Microsoft Naming '
'Conventions Frequently Updated)',
'source_name': 'LUMINOUS MOTH'},
{'description': '(Citation: Palo Alto Networks, Unit '
'42)(Citation: Unit42 Bookworm '
'Nov2015)(Citation: Unit42 Chinese '
'VSCode 06 September 2024)(Citation: '
'Broadcom)(Citation: Palo Alto Unit42 '
'STATELY TAURUS TONESHELL September '
'2023)(Citation: CSIRT CTI MUSTANG '
'PANDA PUBLOAD TONESHELL JAN 2024)',
'source_name': 'STATELY TAURUS'},
{'description': '(Citation: Proofpoint TA416 November '
'2020)',
'source_name': 'TA416'},
{'description': '(Citation: PWC UK MUSTANG PANDA RED '
'LICH February 2021)',
'source_name': 'Red Lich'},
{'description': '(Citation: Recorded Future REDDELTA '
'July 2020)(Citation: Proofpoint '
'TA416 Europe March 2022)',
'source_name': 'RedDelta'},
{'description': '(Citation: Secureworks BRONZE '
'PRESIDENT December 2019)(Citation: '
'Sophos PlugX September '
'2022)(Citation: Sophos Mustang Panda '
'PLUGX)',
'source_name': 'BRONZE PRESIDENT'},
{'description': 'Alexandre Cote Cyr. (2022, March '
'23). Mustang Panda’s Hodur: Old '
'tricks, new Korplug variant. '
'Retrieved September 9, 2025.',
'source_name': 'Eset PlugX Korplug Mustang Panda '
'March 2022',
'url': 'https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/'},
{'description': 'Anomali Threat Research. (2019, '
'October 7). China-Based APT Mustang '
'Panda Targets Minority Groups, '
'Public and Private Sector '
'Organizations. Retrieved April 12, '
'2021.',
'source_name': 'Anomali MUSTANG PANDA October 2019',
'url': 'https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations'},
{'description': 'Asheer Malhotra, Jungsoo An, Kendall '
'Mc. (2022, May 5). Mustang Panda '
'deploys a new wave of malware '
'targeting Europe. Retrieved August '
'4, 2025.',
'source_name': 'Cisco Talos MUSTANG PANDA PLUGX '
'PUBLOAD MAY 2022',
'url': 'https://blog.talosintelligence.com/mustang-panda-targets-europe/'},
{'description': 'Broadcom Protection Bulletins. '
'(2025, February 20). Bookworm '
'malware linked to Fireant (aka '
'Stately Tarurus) activity observed '
'in Southeast Asia. Retrieved July '
'21, 2025.',
'source_name': 'Broadcom',
'url': 'https://www.broadcom.com/support/security-center/protection-bulletin/bookworm-malware-linked-to-fireant-aka-stately-tarurus-activity-observed-in-southeast-asia'},
{'description': 'Cohen, Itay. Madej, Radoslaw. Threat '
'Intelligence Team. (2023, May 16). '
'THE DRAGON WHO SOLD HIS CAMARO: '
'ANALYZING CUSTOM ROUTER IMPLANT. '
'Retrieved December 26, 2023.',
'source_name': 'HorseShell',
'url': 'https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/'},
{'description': 'Counter Threat Unit Research Team. '
'(2019, December 29). BRONZE '
'PRESIDENT Targets NGOs. Retrieved '
'April 13, 2021.',
'source_name': 'Secureworks BRONZE PRESIDENT '
'December 2019',
'url': 'https://www.secureworks.com/research/bronze-president-targets-ngos'},
{'description': 'CSIRT CTI. (2024, January 23). '
'Stately Taurus Targets Myanmar '
'Amidst Concerns over Military '
'Junta’s Handling of Rebel Attacks. '
'Retrieved August 4, 2025.',
'source_name': 'CSIRT CTI MUSTANG PANDA PUBLOAD '
'TONESHELL JAN 2024',
'url': 'https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/'},
{'description': 'DOJ. (2024, December 20). Mag. No. '
'24-mj-1387 AFFIDAVIT IN SUPPORT OF '
'AN APPLICATION FOR A NINTH SEARCH '
'AND SEIZURE WARRANT- IN THE MATTER '
'OF THE SEARCH AND SEIZURE OF '
'COMPUTERS IN THE UNITED STATES '
'INFECTED WITH PLUGX MALWARE . '
'Retrieved September 9, 2025.',
'source_name': 'DOJ Affidavit Search and Seizure '
'PlugX December 2024',
'url': 'https://www.justice.gov/archives/opa/media/1384136/dl'},
{'description': 'EclecticIQ Threat Research Team. '
'(2023, February 2). Mustang Panda '
'APT Group Uses European '
'Commission-Themed Lure to Deliver '
'PlugX Malware. Retrieved September '
'9, 2025.',
'source_name': 'EclecticIQ Mustang Panda PlugX',
'url': 'https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware'},
{'description': 'Golo Muhr, Joshua Chung. (2025, June '
'23). Hive0154 aka Mustang Panda '
'shifts focus on Tibetan community to '
'deploy Pubload backdoor. Retrieved '
'August 4, 2025.',
'source_name': 'IBM MUSTANG PANDA PUBLOAD '
'CLAIMLOADER JUNE 2025',
'url': 'https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor'},
{'description': 'Golo Muhr, Joshua Chung. (2025, May '
'15). Hive0154 targeting US, '
'Philippines, Pakistan and Taiwan in '
'suspected espionage campaign. '
'Retrieved August 4, 2025.',
'source_name': '2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG '
'PANDA',
'url': 'https://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan'},
{'description': 'Insikt Group. (2020, July 28). '
'CHINESE STATE-SPONSORED GROUP '
'‘REDDELTA’ TARGETS THE VATICAN AND '
'CATHOLIC ORGANIZATIONS. Retrieved '
'April 13, 2021.',
'source_name': 'Recorded Future REDDELTA July 2020',
'url': 'https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf'},
{'description': 'Ken Towne, Francis Guibernau. (2023, '
'March 23). Emulating the Politically '
'Motivated Chinese APT Mustang Panda. '
'Retrieved September 10, 2025.',
'source_name': 'ATTACKIQ MUSTANG PANDA TONESHELL '
'March 2023',
'url': 'https://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/'},
{'description': 'Lenart Bermejo, Sunny Lu, Ted Lee. '
'(2024, September 9). Earth Preta '
'Evolves its Attacks with New Malware '
'and Strategies. Retrieved August 4, '
'2025.',
'source_name': 'Trend Micro MUSTANG PANDA PUBLOAD '
'HIUPAN SEPTEMBER 2024',
'url': 'https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html'},
{'description': 'Lior Rochberger, Tom Fakterman, '
'Robert Falcone. (2023, September '
'22). Cyberespionage Attacks Against '
'Southeast Asian Government Linked to '
'Stately Taurus, Aka Mustang Panda. '
'Retrieved September 9, 2025.',
'source_name': 'Palo Alto Unit42 STATELY TAURUS '
'TONESHELL September 2023',
'url': 'https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/'},
{'description': 'Meyers, A. (2018, June 15). Meet '
'CrowdStrike’s Adversary of the Month '
'for June: MUSTANG PANDA. Retrieved '
'April 12, 2021.',
'source_name': 'Crowdstrike MUSTANG PANDA June 2018',
'url': 'https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/'},
{'description': 'Microsoft. (2025, September 8). How '
'Microsoft names threat actors. '
'Retrieved September 10, 2025.',
'source_name': 'Microsoft Naming Conventions '
'Frequently Updated',
'url': 'https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming'},
{'description': 'Nathaniel Morales, Nick Dai. (2025, '
'February 18). Earth Preta Mixes '
'Legitimate and Malicious Components '
'to Sidestep Detection. Retrieved '
'September 10, 2025.',
'source_name': 'Trend Micro Mustang Panda Earth '
'Preta Toneshell February 2025',
'url': 'https://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html'},
{'description': 'Nick Dai, Vickie Su, Sunny Lu. '
'(2022, November 18). Earth Preta '
'Spear-Phishing Governments '
'Worldwide. Retrieved August 4, 2025.',
'source_name': '2022 November_TrendMicro_Earth '
'Preta_Toneshell_Pubload',
'url': 'https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html'},
{'description': 'Patrick Whitsell. (2025, August 25). '
'Deception in Depth: PRC-Nexus '
'Espionage Campaign Hijacks Web '
'Traffic to Target Diplomats. '
'Retrieved September 9, 2025.',
'source_name': 'Google Threat Intelligence Group '
'MUSTANG PANDA PLUGX August 2025',
'url': 'https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats'},
{'description': 'Proofpoint Threat Research Team. '
'(2020, November 23). TA416 Goes to '
'Ground and Returns with a Golang '
'PlugX Malware Loader. Retrieved '
'April 13, 2021.',
'source_name': 'Proofpoint TA416 November 2020',
'url': 'https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader'},
{'description': 'PWC UK. (2021, February 28). Cyber '
'Threats 2020: A Year in Retrospect. '
'Retrieved October 15, 2025.',
'source_name': 'PWC UK MUSTANG PANDA RED LICH '
'February 2021',
'url': 'https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf'},
{'description': 'Raggi, M. et al. (2022, March 7). '
'The Good, the Bad, and the Web Bug: '
'TA416 Increases Operational Tempo '
'Against European Governments as '
'Conflict in Ukraine Escalates. '
'Retrieved March 16, 2022.',
'source_name': 'Proofpoint TA416 Europe March 2022',
'url': 'https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european'},
{'description': 'Robert Falcone, Mike Scott, Juan '
'Cortes. (2015, November 10). '
'Bookworm Trojan: A Model of Modular '
'Architecture. Retrieved July 21, '
'2025.',
'source_name': 'Unit42 Bookworm Nov2015',
'url': 'https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/'},
{'description': 'Robert Falcone. (2025, February 20). '
'Stately Taurus Activity in Southeast '
'Asia Links to Bookworm Malware. '
'Retrieved July 21, 2025.',
'source_name': 'Palo Alto Networks, Unit 42',
'url': 'https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/'},
{'description': 'Secureworks Counter Threat Unit '
'Research Team. (2022, April 27). '
'BRONZE PRESIDENT Targets Russian '
'Speakers with Updated PlugX. '
'Retrieved September 9, 2025.',
'source_name': 'Sophos PlugX September 2022',
'url': 'https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx'},
{'description': 'Secureworks Counter Threat Unit '
'Research Team. (2022, September 8). '
'BRONZE PRESIDENT Targets Government '
'Officials. Retrieved September 9, '
'2025.',
'source_name': 'Sophos Mustang Panda PLUGX',
'url': 'https://www.secureworks.com/blog/bronze-president-targets-government-officials'},
{'description': 'Sudeep Singh. (2025, April 16). '
'Latest Mustang Panda Arsenal: '
'ToneShell and StarProxy | P1. '
'Retrieved July 21, 2025.',
'source_name': 'Zscaler',
'url': 'https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1'},
{'description': 'Sunny Lu, Vickie Su, Nick Dai. '
'(2023, June 14). Behind the Scenes: '
'Unveiling the Hidden Workings of '
'Earth Preta. Retrieved September 10, '
'2025.',
'source_name': 'Trend Micro Mustang Panda Earth '
'Preta TONESHELL June 2023',
'url': 'https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html'},
{'description': 'The BlackBerry Research and '
'Intelligence Team. (2022, October '
'6). Mustang Panda Abuses Legitimate '
'Apps to Target Myanmar Based '
'Victims. Retrieved October 14, 2025.',
'source_name': 'BlackBerry MUSTANG PANDA October '
'2022',
'url': 'https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims'},
{'description': 'Tom Fakterman. (2024, September 6). '
'Chinese APT Abuses VSCode to Target '
'Government in Asia. Retrieved March '
'24, 2025.',
'source_name': 'Unit42 Chinese VSCode 06 September '
'2024',
'url': 'https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/'}],
'id': 'intrusion-set--420ac20b-f2b9-42b8-aa1a-6d4b72895ca4',
'modified': '2025-11-04T19:40:42.270Z',
'name': 'Mustang Panda',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Kyaw Pyiyt Htet, @KyawPyiytHtet',
'Jiraput Thamsongkrah',
'ZScaler ThreatLabz'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '3.0'}