Mustang Panda
Aliases: TA416, RedDelta, BRONZE PRESIDENT
Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.
Open interactive actor investigation
ATT&CK techniques
T1016
System Network Configuration DiscoveryT1608.001
Upload MalwareT1047
Windows Management InstrumentationT1573.001
Symmetric CryptographyT1204.001
Malicious LinkT1049
System Network Connections DiscoveryT1059.005
Visual BasicT1053.005
Scheduled TaskT1598.003
Spearphishing LinkT1564.001
Hidden Files and DirectoriesT1218.005
MshtaT1585.002
Email AccountsT1219
Remote Access SoftwareT1218.004
InstallUtilT1560.001
Archive via UtilityT1071.001
Web ProtocolsT1566.002
Spearphishing LinkT1091
Replication Through Removable MediaT1059.003
Windows Command ShellT1052.001
Exfiltration over USBT1560.003
Archive via Custom MethodT1070.004
File DeletionT1057
Process DiscoveryT1082
System Information DiscoveryT1203
Exploitation for Client ExecutionT1608
Stage CapabilitiesT1566.001
Spearphishing AttachmentT1083
File and Directory DiscoveryT1518
Software DiscoveryT1583.001
DomainsT1574.002
DLL Side-LoadingT1546.003
Windows Management Instrumentation Event SubscriptionT1003.003
NTDST1027
Obfuscated Files or InformationT1547.001
Registry Run Keys / Startup FolderT1119
Automated CollectionT1105
Ingress Tool TransferT1074.001
Local Data StagingT1059.001
PowerShellT1027.001
Binary PaddingT1204.002
Malicious FileT1036.007
Double File ExtensionT1102
Web ServiceT1036.005
Match Legitimate Name or LocationT1036
Masquerading
System Network Configuration DiscoveryT1608.001
Upload MalwareT1047
Windows Management InstrumentationT1573.001
Symmetric CryptographyT1204.001
Malicious LinkT1049
System Network Connections DiscoveryT1059.005
Visual BasicT1053.005
Scheduled TaskT1598.003
Spearphishing LinkT1564.001
Hidden Files and DirectoriesT1218.005
MshtaT1585.002
Email AccountsT1219
Remote Access SoftwareT1218.004
InstallUtilT1560.001
Archive via UtilityT1071.001
Web ProtocolsT1566.002
Spearphishing LinkT1091
Replication Through Removable MediaT1059.003
Windows Command ShellT1052.001
Exfiltration over USBT1560.003
Archive via Custom MethodT1070.004
File DeletionT1057
Process DiscoveryT1082
System Information DiscoveryT1203
Exploitation for Client ExecutionT1608
Stage CapabilitiesT1566.001
Spearphishing AttachmentT1083
File and Directory DiscoveryT1518
Software DiscoveryT1583.001
DomainsT1574.002
DLL Side-LoadingT1546.003
Windows Management Instrumentation Event SubscriptionT1003.003
NTDST1027
Obfuscated Files or InformationT1547.001
Registry Run Keys / Startup FolderT1119
Automated CollectionT1105
Ingress Tool TransferT1074.001
Local Data StagingT1059.001
PowerShellT1027.001
Binary PaddingT1204.002
Malicious FileT1036.007
Double File ExtensionT1102
Web ServiceT1036.005
Match Legitimate Name or LocationT1036
Masquerading