Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G0129

Mustang Panda

Aliases

TA416, RedDelta, Bronze President, Twill Typhoon

Type

State-sponsored cyberespionage group

Target

Government, NGOs, Think Tanks

Malware

RoyalRoad, Custom Loaders, PlugX

Country

China China

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for Mustang Panda

Who is Mustang Panda?

Mustang Panda is a prolific cyberespionage group linked to China. It has been active since at least 2017. The group first focused on East and Southeast Asia. Now, it also targets governments and diplomats in Europe and Russia.

The group is agile — it quickly adapts its campaigns to leverage current world events. They gather diplomatic, economic, and military intelligence in support of the Chinese state.

Common Tactics and Tools

Mustang Panda’s main infection method is spear-phishing. They are experts at writing convincing emails. The lures often relate to current events, appearing to be government reports or news articles. These emails contain malicious links or attachments.

The group often uses cloud services like Google Drive or Dropbox to host its malware. This helps them bypass initial security checks.

  • RoyalRoad: This is not a final payload but a weaponizer tool. Mustang Panda uses it to create malicious Rich Text Format (RTF) files. These files exploit bugs in Microsoft Office to install the first piece of malware.
  • Custom Loaders: The group constantly creates new loaders. These small programs bypass security to download the main PlugX malware.
  • PlugX: The group’s main malware. This well-known backdoor gives attackers full remote control of a victim’s computer. They use it to steal files, log keystrokes, and launch more attacks.

How to Defend Against Mustang Panda

Defense requires multiple layers. It must counter the Mustang Panda’s social engineering and custom malware.

  • Advanced email filtering: Use email security that scans links, even those to cloud services. It should also use a sandbox to safely open and check attachments for harmful behavior.
  • Monitor cloud service traffic: Check network traffic to and from cloud services like Google Drive. Look for strange patterns or large data transfers that could signal an attack.
  • Application hardening: Set up endpoint security to limit or flag files run from folders, like Downloads. Restrict scripts that can be run by Microsoft Office.
  • Deploy Network Detection and Response (NDR): Use an NDR tool to watch all network traffic. It can spot attacks that endpoint security might miss. This is key for finding malware that communicates with cloud services.
  • Segment Your Network: Divide your network into smaller, isolated zones. If an attacker compromises one area, segmentation stops them from easily reaching critical systems in other zones.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.