Mustang Panda is a China-based cyber espionage group, active since at least 2012, though some sources suggest operations may date back even earlier. The group is also known by aliases such as Bronze President, RedDelta, Earth Preta, and Camaro Dragon. Mustang Panda targets a wide range of organizations, including governments, non-governmental organizations (NGOs), think tanks, and religious groups, primarily in the U.S., Europe, and across Asia—with particular focus on regions of strategic interest to China, such as Taiwan, Hong Kong, Mongolia, Myanmar, and Tibet.
Tactics, Techniques, and Procedures (TTPs)
Mustang Panda is notorious for highly tailored spear-phishing campaigns, using lures that mimic legitimate documents and exploit current events relevant to the target. The group commonly employs remote access trojans (RATs) like PlugX, Poison Ivy, and custom backdoors such as PUBLOAD and Pubshell. In recent years, they have increasingly used intermediate payloads, stagers, and reverse shells to maintain persistence and evade detection.
Attack chains often involve benign executables used to sideload malicious DLLs, which then deploy the final payload. Mustang Panda has a history of rapidly exploiting newly disclosed vulnerabilities, such as CVE-2017-0199, to compromise systems before patches can be applied.
Motivation and Scope
The group’s primary objective is intelligence gathering to support Chinese state interests, including the Belt and Road Initiative and Made in China 2025. Mustang Panda has targeted entities in over 30 countries, including Australia, India, Russia, and many nations in Europe and Southeast Asia. Recent Campaigns Recent activities have included attacks using conference- and summit-themed lures, as well as leveraging geopolitical events such as the conflict in Ukraine and issues related to Tibetan and Mongolian diaspora organizations. The group is known for continuously evolving its tools and techniques to stay ahead of detection and maintain long-term access to victim networks.
Summary identification table
| Attribute | Details |
|---|---|
| Aliases | Bronze President, RedDelta, Earth Preta, Camaro Dragon, and others |
| Origin | China |
| Active Since | At least 2012 (possibly earlier) |
| Main Targets | Governments, NGOs, think tanks, religious groups, and others |
| Key Tools | PlugX, Poison Ivy, PUBLOAD, Pubshell, custom stagers, reverse shells |
| Primary Tactics | Spear-phishing, DLL sideloading, exploitation of vulnerabilities |
| Motivation | Espionage, information theft, support for Chinese state objectives |
| Geographic Scope | U.S., Europe, Asia (especially Taiwan, Hong Kong, Mongolia, Myanmar, Tibet) |