What are we tracking here?
In this blog, we are tracking "Mustang Panda" evolution across campaigns (2022 - 2025) and the malware arsenal used by the threat actor to run those cyber attack campaigns.
Understanding Adversary: Mustang Panda
Mustang Panda (APT G0129) has emerged as one of the most persistent and adaptable cyber espionage groups over the past decade, with its activities between 2022 and 2025 indicating a clear technical evolution and operational maturity.
ORIGIN China-based cyber espionage threat actor that has been conducting operations since at least 2012 MITRE GROUP ID G0129 ASSOCIATED GROUPS TA416 (Proofpoint: TA416), RedDelta (PwC: Red Delta), BRONZE PRESIDENT, STATELY TAURUS, FIREANT, CAMARO DRAGON, EARTH PRETA, HIVE0154, TWILL TYPHOON, TANTALUM, LUMINOUS MOTH, UNC6384, TEMP.Hex, Red Lich, DarkPeony, HoneyMyte, Polaris, PAN: PKPLUG. MOTIVATION Information theft and espionage INDUSTRIES TARGETED Healthcare, Government, Education, Aviation, Telecom LINKAGE WITH OTHER APT GROUPS APT41COUNTRIES TARGETED: Australia, Bangladesh, Belgium, Bulgaria, China, Cyprus, Czech, Ethiopia, France, Germany, Greece, Hong Kong, Hungary, India, Indonesia, Japan, Mongolia, Myanmar, Nepal, Pakistan, Philippines, Russia, Singapore, Slovakia, South Africa, South Korea, South Sudan, Sweden, Taiwan, Thailand, Tibet, UK, USA, and Vietnam
Evolution Tracking: Mustang Panda Operational Patterns & TTP Analysis
Mustang Panda has shown its ability to refine the tactics, techniques, and procedures (TTPs) in response to defensive advancements, making it a case study in modern APT evolution.
Time Period: 2022
In 2022, Mustang Panda used spear-phishing as the primary initial access vector. The group leveraged socially engineered emails containing malicious attachments or links, often themed around geopolitical events, COVID-19 updates, or policy documents, to lure victims. These payloads were frequently hosted on platforms such as Google Drive. Once access was established, execution typically relied on user interaction, utilizing techniques such as malicious file execution and the abuse of legitimate Windows utilities, including rundll32. Privilege escalation was achieved through User Account Control (UAC) bypass mechanisms, allowing attackers to gain elevated access within compromised environments.
Mustang Panda kept its emphasis on defense evasion through DLL sideloading and process injection. By pairing malicious DLLs with legitimate executables such as debugging tools or widely used applications, the group normalised its malicious activities as normal system activity. Malware families such as PlugX, Toneshell, and CoolClient demonstrated these techniques extensively, with additional layers of obfuscation including encoded payloads and masquerading tactics that mimicked legitimate file names and directories. Persistence mechanisms were equally strong & robust, relying on scheduled tasks, registry run keys, and Windows services to ensure continued access even after system reboots. Command-and-control (C2) communications during this period were diverse, incorporating both HTTP-based reverse shells and custom TCP protocols, often encrypted using RC4 or XOR schemes, indicating the usage of both application-layer protocols & non application layer protocols.
Time Period: 2023
By 2023, Mustang Panda had significantly expanded its capabilities, particularly in terms of stealth, persistence, and data exfiltration. The introduction of MQsTTang malware showed a shift toward leveraging unconventional protocols, as it utilized MQTT, a lightweight messaging protocol typically used in IoT environments for C2 communication. The group continued to refine its use of DLL sideloading and masquerading, while introducing execution guardrails and debugger evasion techniques to avoid analysis in sandboxed environments.
Data collection and exfiltration operations also became more sophisticated in 2023. Mustang Panda incorporated keylogging, credential dumping from LSASS memory, and large-scale data archiving using tools like RAR before exfiltration. Notably, exfiltration methods expanded to include cloud platforms such as Dropbox and FTP-based services, reflecting a growing reliance on legitimate infrastructure to bypass network defenses. Persistence techniques evolved further with the addition of web shells, providing backup access channels in case primary implants were removed. This period represents a transition from basic espionage operations to more comprehensive data harvesting campaigns, with a clear emphasis on maintaining long-term access and maximizing intelligence collection.
Time Period: 2024
In 2024, Mustang Panda’s operations demonstrated a substantial increase in sophistication, particularly in defense evasion and lateral movement. The group began employing advanced anti-forensic techniques, including the use of hidden files, NTFS attributes, and deliberate clearing of persistence artifacts to reduce detection footprints. Code signing abuse was also observed, allowing malicious binaries to appear trustworthy to security solutions. Malware such as YOKAI used these capabilities, using decoy documents disguised as legitimate government files to initiate infection chains while employing DLL sideloading and encrypted communications for stealth.
Another significant development in 2024 was the usage of propagation and discovery techniques. Mustang Panda leveraged removable media for both initial infection and lateral movement. Once inside a network, the group conducted extensive reconnaissance using native system utilities to gather information about system configurations, network connections, and installed security tools. Data collection and exfiltration were done using utilities like cURL and custom socket-based protocols.
Time Period: 2025
By 2025, Mustang Panda operated with a strong focus on credential harvesting and cloud-based exfiltration. CoolClient malware variants, such as CoolClientv3, introduced advanced capabilities, including clipboard monitoring, active window tracking, and extraction of sensitive system and browser data. The group demonstrated a deep understanding of modern user environments by targeting browser credential stores, executing SQL queries to retrieve login information, and decrypting stored passwords.
Exfiltration techniques in 2025 further reflect Mustang Panda’s evolution. The group leveraged legitimate cloud services such as Google Drive APIs and platforms like Pixeldrain to transfer stolen data, often using standard tools like curl for uploads and rar for compression. This “living-off-the-land” approach minimizes the need for custom tooling and reduces the likelihood of detection by mixing malicious activity with normal user behavior. Command-and-control communications also diversified, with some variants shifting toward direct TCP/UDP communication while others continued to use HTTPS, providing operational flexibility depending on the target environment.
Detection Logic
- DLL Sideloading: DLL sideloading attack techniques were observed in almost all the attacks done by Mustang Panda. Refer to the TTP analysis section “Defense Evasion” for each year to get the malware-specific malicious DLL files that were executed with a legitimate tool.
- Suspicious Scheduled Tasks: Various scheduled tasks were created via the schtasks command-line utility to maintain persistence on the target system. Refer to the TTP analysis section “Persistence” for each year to get the malware-specific scheduled tasks that were created to maintain persistence on the target system.
- Registry Run Key Modification: Run registry keys were installed for persistence on the victim system by Mustang Panda malware. Refer to the TTP analysis section “Persistence” for each year to get the malware-specific run registry key values (Registry Key, Registry Value Name, Registry Value Data) that were created to maintain persistence on the target system.
- Command & Control: Both application-layer protocols (HTTP/HTTPS) and non-application-layer protocols (TCP/UDP) were observed during mustang panda analysis. Refer to the TTP analysis section “Command & Control” for each year to get the malware-specific C2 infrastructure (IP, Domain, etc) information used by the attacker to communicate with the victim and the attacker's system.
- Phishing: The group used customised phishing/spear-phishing techniques to lure the victim. Refer to the TTP analysis section “Other Techniques > initial access” for each year to get the malware-specific phishing techniques used by the threat actor to lure the victims.
Over the years, Mustang Panda has employed several other techniques to attack the victim system, including data exfiltration, command execution, and keylogging. All these techniques are documented in the Mustang Panda APT analysis under the TTP analysis table “other techniques”.
Indicators of Compromise [IOCs]
TONESHELL
ToneShell Persistence Component 2f5cf595ac4d6a59be78a781c5ba126c2ff6d6e5956dc0a7602e6ba8e6665694 0f2f0458d2f1ac4233883e96fe1f4cc6db1551cdcfdd49c43311429af03a1cd5 011fe9974f07cb12ba30e69e7a84e5cb489ce14a81bced59a11031fc0c3681b7 3fc4d023d96f339945683f6dc7d9e19a9a62b901bef6dc26c5918ce9508be273 3a429b8457ad611b7c3528e4b41e8923dd2aee32ccd2cc5cf5ff83e69c1253c2 f58d3d376c8e26b4ae3c2bbaa4ae76ca183f32823276e6432a945bcbc63266d9 46c6ee9195f3bd30f51eb6611623aad1ba17f5e0cde0b5523ab51e0c5b641dbf 86140e6770fbd0cc6988f025d52bb4f59c0d78213c75451b42c9f812fe1a9354
ToneShell Networking Component a08e0d1839b86d0d56a52d07123719211a3c3d43a6aa05aa34531a72ed1207dc 19d07dbc58b8e076cafd98c25cae5d7ac6f007db1c8ec0fae4ce6c7254b8f073 8e801d3a36decc5e4ce6fd3e8e45b098966aef8cbe7535ed0a789575775a68b6 df4ba449f30f3ed31a344931dc77233b27e06623355ece23855ee4fe8a75c267 345ef3fb73aa75538fdcf780d2136642755a9f20dbd22d93bee26e93fb6ab8fd 3a5e69786ac1c458e27d38a966425abb6fb493a41110393a4878c811557a3b5b
ToneShell Functionality Component 66b7983831cbb952ceeb1ffff608880f1805f1df0b062cef4c17b258b7f478ce f2a6a326fb8937bbc32868965f7475f4af0f42f3792e80156cc57108fc09c034 dafa952aacf18beeb1ebf47620589639223a2e99fb2fa5ce2de1e7ef7a56caa0 52cd066f498a66823107aed7eaa4635eee6b7914acded926864f1aae59571991
Toneshell backdoor (Variant 7) 5d7b9605cf85371da0849b82977df222ac6c970596c5a9a123c9490789d40078
Toneshell backdoor (Variant 8 & 9) Toneshell8 backdoor: bdbc936ddc9234385317c4ee83bda087e389235c4a182736fc597565042f7644 f0fec3b271b83e23ed7965198f3b00eece45bd836bf10c038e9910675bafefb1 e7b29611c789a6225aebbc9fee3710a57b51537693cb2ec16e2177c22392b546 9ca5b2cbc3677a5967c448d9d21eb56956898ccd08c06b372c6471fb68d37d7d Toneshell9 backdoor: 318a1ebc0692d1d012d20d306d6634b196cc387b1f4bc38f97dd437f117c7e20
Network IOCs C&C Servers 89.38.225.151 103.15.29.179 202.53.148.24 103.15.28.208 202.58.105.38 98.142.251.29 202.53.148.26 www.uvfr4ep[.]com Feed-5613.coderformylife[.]info 45.64.184[.]189 43.254.132[.]242 103.27.202[.]68 67.53.148[.]77 207.246.89[.]250
PLUGX
SOGU.SEC d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933 STATICPLUGIN [ DOWNLOADER FOR SOGU.SEC] 65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124
x32dbg.exe ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15 x32bridge.dll 0490ceace858ff7949b90ab4acf4867878815d2557089c179c9971b2dd0918b9
Network IOCs (SOGU.SEC) Hosting IP: 103.79.120[.]72 C2 IP: 166.88.2[.]90 SOGU.SEC User Agent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
COOLCLIENT
Coolclientv3 GoogleUpdate.zip 12a04989fdbcf7fa2f70a708521968e609b0d247acf842fe8c0e5f5bac3a09db googleupdate.exe 6f924de3f160984740fbac66cf9546125330fc00f4f5d2dbf05601d9d930b7d9 goopdate.ja 6b703611c93f20513fee6080ff9fdd23f3c73db5b21a63324ef9e36e4d728b22 libvlc.dll 055fa35e8153242417d39c75e10e0de0758c05a9f31409926744c3f5ceeb4100 loader.ja c07bc0b020f1250c69ee6ab804dd08095d42fe1fb80f591d2bb198a4409f2300 time.sig a61ed84f72ac995156a18450864444edc20ae7859fb4fa667b14a61416841659
Network IOCs CoolClient C2 account.hamsterxnxx[.]com popnike-share[.]com japan.Lenovoappstore[.]com
FTP server 113.23.212[.]15
MQsTTang
Hash: 740C8492DDA786E2231A46BFC422A2720DB0279A
Network IOCs Legitimate public MQTT broker: 3.228.54.173 MQsTTang delivery servers: 80.85.156[.]151 80.85.157[.]3 185.144.31[.]86
HIUPAN
b4c37e3995d5ff94754cedd49f8fc6765448a16027a5951e37bd0da06661cd88 f5fd2905d90755d021e1442c34fa628d56598ae1043a7c1103bd5e21c7706168
PUBSHELL/PUBLOAD
PUBLOAD: 534853913ad1e9b7ae7dade841b9cfc2e4a1e38351578e1c15466cd3f0666ead 2da73366f9efc0d1c05c72e40446057333e12c6083528f64e78b570172fa602c
PUBSHELL: b04775803e48979b68480a498807d0ed16df9610e3f632344b9d45d59b5121a3
Network IOCs Pubload C2 server 218[.]255[.]96[.]245:443 45[.]12[.]91[.]223:443
SNAKEDISK
dd694aaf44731da313e4594d6ca34a6b8e0fcce505e39f8273b9242fdf6220e0
YOKAI
35bec1d8699d29c27b66e5646e58d25ce85ea1e41481d048bcea89ea94f8fb4b
Network IOCs C2 Address 122.155.28[.]155:80/page/index.php 154.90.47[.]77:80/ 191.police.go[.]th:443/api/index.php 191.police.go[.]th:443/Assessment/Report/PDF/default.php m-society.dpis.go[.]th:443/default.php 49.231.18[.]150:80/research/files/index.php http://118.174.183[.]89/kptinfo/import/index.php
ATT&CK Matrix
Conclusion
Mustang Panda’s activities over these four years illustrate the adaptive nature of modern APT groups. By continuously refining its TTPs and leveraging both custom malware and legitimate infrastructure, the group has maintained its effectiveness as a cyber espionage actor. For defenders, this highlights the importance of moving beyond signature-based detection to behavioral analysis, monitoring legitimate tool abuse, and improving visibility into cloud and endpoint activity. As Mustang Panda continues to evolve, it is likely to further integrate emerging technologies and techniques, reinforcing its position as a significant and enduring threat in the global cybersecurity landscape.