← All Threat Actors
Threat Actor Profile

MUSTANG PANDA

BASIN BRONZE PRESIDENT CAMARO DRAGON ClumsyToad Earth Preta FIREANT G0129 HIVE0154 HoneyMyte LUMINOUS MOTH LuminousMoth Polaris Red Lich RedDelta Stately Taurus TA416 TANTALUM TEMP.HEX Twill Typhoon UNC6384
▲ High Threat
This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.
Origin China
Sponsor China
Motivation Espionage

Target Sectors

Civil society

Known TTPs

System Network Configuration Discovery
Upload Malware
Web Services
Windows Management Instrumentation
Symmetric Cryptography
Search Open Websites/Domains
Malicious Link
Network Service Discovery
Deobfuscate/Decode Files or Information
System Network Connections Discovery
Visual Basic
IDE Tunneling
Exfiltration to Cloud Storage
Scheduled Task
Domain Account
Spearphishing Link
Delay Execution
Hidden Files and Directories
Mshta
Dynamic API Resolution
Email Accounts
Remote Desktop Software
OS Credential Dumping
DCSync
InstallUtil
Email Accounts
Archive via Utility
Indicator Removal
Web Protocols
Remote System Discovery
Domain Groups
Protocol or Service Impersonation
Exfiltration Over Unencrypted Non-C2 Protocol
Spearphishing Link
Exfiltration Over C2 Channel
Software Deployment Tools
Adversary-in-the-Middle
Web Shell
IDE Extensions
Code Signing Certificates
Replication Through Removable Media
Windows Command Shell
Exfiltration over USB
LSASS Memory
Tool
Digital Certificates
Archive via Custom Method
File Deletion
Shared Modules
Process Discovery
System Information Discovery
Non-Application Layer Protocol
Exploitation for Client Execution
Executable Installer File Permissions Weakness
Stage Capabilities
Debugger Evasion
Spearphishing Attachment
Log Enumeration
File and Directory Discovery
Software Discovery
Domains
DLL
Windows Management Instrumentation Event Subscription
Native API
NTDS
Command and Scripting Interpreter
Code Signing
Obfuscated Files or Information
Registry Run Keys / Startup Folder
Automated Collection
Ingress Tool Transfer
Local Data Staging
JavaScript
PowerShell
Junk Code Insertion
Timestomp
Malicious File
Protocol Tunneling
Masquerade File Type
Double File Extension
Web Service
Traffic Signaling
Match Legitimate Resource Name or Location
Malware
LNK Icon Smuggling

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD