{"description": "Enterprise techniques used by Mustang Panda, ATT&CK group G0129 (v3.0)", "name": "Mustang Panda (G0129)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized [AdFind](https://attack.mitre.org/software/S0552) to identify domain users.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has acquired C2 domains prior to operations.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: Recorded Future REDDELTA July 2020)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)(Citation: Unit42 Bookworm Nov2015)(Citation: Palo Alto Networks, Unit 42)(Citation: McAfee Dianxun March 2021)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) registered adversary-controlled domains during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047) that were re-registrations of expired domains.(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has set up Dropbox and Google Drive to host malicious downloads.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) leveraged a captive portal hijack that redirected the victim to a webpage that prompted the victim to download a malicious payload.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has communicated with its C2 via HTTP POST requests.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: Unit42 Bookworm Nov2015)(Citation: McAfee Dianxun March 2021)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) used HTTP POST messages for command and control from [PlugX](https://attack.mitre.org/software/S0013) installations during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used RAR to create password-protected archives of collected documents prior to exfiltration.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020) [Mustang Panda](https://attack.mitre.org/groups/G0129) has used WinRAR \u201cRar.exe\u201d to archive stolen files before exfiltration.(Citation: Unit42 Chinese VSCode 06 September 2024) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also used [TONESHELL](https://attack.mitre.org/software/S1239) and post-exploitation tools such as RemCom and [Impacket](https://attack.mitre.org/software/S0357) to execute WinRAR `rar.exe` to archive files for exfiltration.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has encrypted documents with RC4 prior to exfiltration.(Citation: Avira Mustang Panda January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) used custom batch scripts to collect files automatically from a targeted system.(Citation: Secureworks BRONZE PRESIDENT December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has created the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\AdobelmdyU to maintain persistence.(Citation: Proofpoint TA416 November 2020) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also established persistence via the registry key `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`.(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Sophos Mustang Panda PLUGX)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) used Run registry keys with names such as `OneNote Update` to execute legitimate executables that would load through search-order hijacking malicious DLLS to ensure persistence during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized meterpreter shellcode.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used malicious PowerShell scripts to enable execution.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Unit42 Chinese VSCode 06 September 2024)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) used LNK files to execute PowerShell commands leading to eventual [PlugX](https://attack.mitre.org/software/S0013) installation during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has executed HTA files via cmd.exe, and used batch scripts for collection.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also utilized cmd.exe to execute commands on an infected host such as `cmd.exe /c ping.exe 8.8.8.8 -n 70&&\"%temp%\\FontEDL.exe\"`.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has embedded VBScript components in LNK files to download additional files and automate collection.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Crowdstrike MUSTANG PANDA June 2018) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also used VBA macros in maldocs to execute malicious DLLs.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022) [Mustang Panda](https://attack.mitre.org/groups/G0129) also utilized a VBS Script \u201cautorun.vbs\u201d that created persistence through saving the VBS Script in the startup directory which would cause it to run each time the machine was turned on.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has executed a JavaScript payload utilizing wscript.exe on the endpoint.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1586", "showSubtechniques": true}, {"techniqueID": "T1586.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has compromised legitimate email accounts to use in their spear-phishing operations.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic.  [Mustang Panda](https://attack.mitre.org/groups/G0129) has used FakeTLS to communicate with its C2 servers.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has stored collected credential files in c:\\windows\\temp prior to exfiltration. [Mustang Panda](https://attack.mitre.org/groups/G0129) has also stored documents for exfiltration in a hidden folder on USB drives.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has embedded debug strings with messages to distract analysts.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger.(Citation: Sophos Mustang Panda PLUGX) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1678", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has delayed the execution of payloads leveraging ping echo requests `cmd /c ping 8.8.8.8 -n 70&&\"%temp%\\\"`.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Sophos PlugX September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has the ability to decrypt its payload prior to execution.(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos Mustang Panda PLUGX) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also utilized RC4 encryption for malicious payloads.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)(Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has developed custom malware for use in their operations.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has encrypted C2 communications with RC4.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Recorded Future REDDELTA July 2020) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also leveraged encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO.(Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.(Citation: Proofpoint TA416 Europe March 2022) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also created fake Google accounts to distribute malware via spear-phishing emails.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)  [Mustang Panda](https://attack.mitre.org/groups/G0129) has also created accounts for spearphishing operations including the use of services such as Proton Mail.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.003", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129)'s custom ORat tool uses a WMI event consumer to maintain persistence.(Citation: Secureworks BRONZE PRESIDENT December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) included the use of Cloudflare geofencing mechanisms to limit payload download activity during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used FTP to exfiltrate archive files.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has exfiltrated stolen data and files to its C2 server.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Sophos PlugX September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1052", "showSubtechniques": true}, {"techniqueID": "T1052.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used a customized [PlugX](https://attack.mitre.org/software/S0013) variant which could exfiltrate documents from air-gapped networks.(Citation: Avira Mustang Panda January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has also exfiltrated archived files to cloud services such as Dropbox using `curl`.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1203", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has exploited CVE-2017-0199 in Microsoft Word to execute code.(Citation: Crowdstrike MUSTANG PANDA June 2018)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) used the GrimResource exploitation technique via specially crafted MSC files for arbitrary code execution during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.(Citation: Avira Mustang Panda January 2020)(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129)'s [PlugX](https://attack.mitre.org/software/S0013) variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.(Citation: Avira Mustang Panda January 2020) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also modified file attributes to `hidden` and `system`.(Citation: Eset PlugX Korplug Mustang Panda March 2022)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) stored encrypted payloads associated with [PlugX](https://attack.mitre.org/software/S0013) installation in hidden directories during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used a legitimately signed executable to execute a malicious payload within a DLL file.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Broadcom)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Recorded Future REDDELTA July 2020)(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Proofpoint TA416 November 2020)(Citation: Unit42 Bookworm Nov2015)(Citation: Sophos PlugX September 2022)(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)(Citation: Zscaler) [Mustang Panda](https://attack.mitre.org/groups/G0129) has abused legitimate executables to side-load malicious DLLs.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) used DLL search order hijacking on vulnerable applications to install [PlugX](https://attack.mitre.org/software/S0013) payloads during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1574.005", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged legitimate software installer executables such as Setup Factory \u201cIRSetup.exe\u201d to drop and execute their payload.(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has deleted registry keys that store data and maintained persistence.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) will delete their tools and files, and kill processes after their objectives are reached.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has modified file timestamps from the export address table (EAT) in malware to make it difficult to identify creation times.(Citation: Palo Alto Networks, Unit 42)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has downloaded additional executables following the initial infection stage.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Recorded Future REDDELTA July 2020)(Citation: Sophos PlugX September 2022) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also leveraged Visual Studio Code `code.exe` and Dev Tunnels using `DevTunnel.exe` to propagate additional tools and payloads.(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1654", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used [Wevtutil](https://attack.mitre.org/software/S0645) to gather Windows Security Event Logs.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) masqueraded Registry run keys as legitimate-looking service names such as `OneNote Update` during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used names like `adobeupdate.dat` and `PotPlayerDB.dat` to disguise [PlugX](https://attack.mitre.org/software/S0013), and a file named `OneDrive.exe` to load a [Cobalt Strike](https://attack.mitre.org/software/S0154) payload.(Citation: Recorded Future REDDELTA July 2020) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also masqueraded legitimate browser plugin updates to include AdobePlugins.exe.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.007", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used an additional filename extension to hide the true file type.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has masqueraded malicious executables as legitimate files that download [PlugX](https://attack.mitre.org/software/S0013) malware.(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Sophos PlugX September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used various Windows API calls during execution and defense evasion.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Broadcom)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos Mustang Panda PLUGX)(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged [NBTscan](https://attack.mitre.org/software/S0590) to scan IP networks.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized TCP-based reverse shells using cmd.exe.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has delivered initial payloads hidden using archives and encoding measures.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Proofpoint TA416 November 2020)(Citation: Proofpoint TA416 Europe March 2022)(Citation: Unit42 Bookworm Nov2015) (Citation: Sophos PlugX September 2022)(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)(Citation: Zscaler) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also utilized opaque predicates in payloads to hinder analysis.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.012", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized LNK files to hide malicious scripts for execution.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Sophos Mustang Panda PLUGX) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also leveraged LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) stored installation payloads as encrypted files in hidden folders during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used junk code within their DLL files to hinder analysis.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Avira Mustang Panda January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has obtained and leveraged publicly-available tools for intrusion activities.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.003", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used revoked code signing certificates for its malicious payloads.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.004", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has obtained SSL certificates for their C2 domains.(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) acquired Cloudflare Origin CA TLS certificates during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1003", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) utilized \u201cHdump\u201d to dump credentials from memory.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has harvested credentials from memory of lssas.exe with [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. [Mustang Panda](https://attack.mitre.org/groups/G0129) has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.006", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged [Mimikatz](https://attack.mitre.org/software/S0002) DCSync feature to obtain user credentials.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged [AdFind](https://attack.mitre.org/software/S0552) to enumerate domain groups.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used spearphishing attachments to deliver initial access payloads.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: Recorded Future REDDELTA July 2020)(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Proofpoint TA416 November 2020) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also delivered archive files such as RAR and ZIP files containing legitimate EXEs and malicious DLLs.(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) leveraged malicious attachments in spearphishing emails for initial access to victim environments in [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has delivered malicious links to their intended targets.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: McAfee Dianxun March 2021) [Mustang Panda](https://attack.mitre.org/groups/G0129) has distributed spear-phishing emails with embedded links that direct the victim to a malicious archive hosted on Google or Dropbox.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) distributed malicious links in phishing emails leading to HTML files that would direct the victim to malicious MSC files if running Windows based on User Agent fingerprinting during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1598", "showSubtechniques": true}, {"techniqueID": "T1598.003", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has delivered web bugs to profile their intended targets.(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used tasklist /v to determine active process information.(Citation: Avira Mustang Panda January 2020) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also used [TONESHELL](https://attack.mitre.org/software/S1239) malware to check the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1572", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged OpenSSH (sshd.exe) to execute commands, transfer files and spread across the environment communicating over SMB port 445.(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) proxied communication through the Cloudflare CDN service during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1219", "showSubtechniques": true}, {"techniqueID": "T1219.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized an established Github account to create a tunnel within the victim environment using Visual Studio Code through the `code.exe tunnel` command.(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1219.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has installed TeamViewer on targeted systems.(Citation: Secureworks BRONZE PRESIDENT December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has queried Active Directory for computers using [AdFind](https://attack.mitre.org/software/S0552).(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also utilized SharpNBTScan to scan the victim environment.(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1091", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used a customized [PlugX](https://attack.mitre.org/software/S0013) variant which could spread through USB connections.(Citation: Avira Mustang Panda January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has created a scheduled task to execute additional malicious software, as well as maintain persistence.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: McAfee Dianxun March 2021) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also created a scheduled task that creates a reverse shell.(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1593", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used open-source research to identify information about victims to use in targeting to include creating weaponized phishing lures and attachments.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used [China Chopper](https://attack.mitre.org/software/S0020) web shells to maintain access to victims\u2019 environments.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1129", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged `LoadLibrary` to load DLLs.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1072", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged legitimate software tools such as AntiVirus Agents, Security Services, and App Development tools to execute scripts and to side-load dlls.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has searched the victim system for the InstallUtil.exe program and its version.(Citation: Anomali MUSTANG PANDA October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1176", "showSubtechniques": true}, {"techniqueID": "T1176.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged Visual Studio Code\u2019s (VSCode) embedded reverse shell feature using the command `code.exe tunnel` to execute code and deliver additional payloads.(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used servers under their control to validate tracking pixels sent to phishing victims.(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has hosted malicious payloads on DropBox including [PlugX](https://attack.mitre.org/software/S0013).(Citation: Proofpoint TA416 Europe March 2022)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) staged malware on adversary-controlled domains and cloud storage instances during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used valid legitimate digital signatures and certificates to evade detection.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)(Citation: Unit42 Bookworm Nov2015)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos PlugX September 2022)(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)(Citation: Zscaler)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) used legitimate, signed binaries such as `inkform.exe` or `ExcelRepairToolboxLauncher.exe` for follow-on execution of malicious DLLs through DLL search order hijacking in [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.004", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used InstallUtil.exe to execute a malicious Beacon stager.(Citation: Anomali MUSTANG PANDA October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used mshta.exe to launch collection scripts.(Citation: Secureworks BRONZE PRESIDENT December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) initial payloads downloaded a Windows Installer MSI file that in turn dropped follow-on files leading to installation of [PlugX](https://attack.mitre.org/software/S0013) during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1218.014", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) used Microsoft Management Console Snap-In Control files, or MSC files, executed via MMC to run follow-on PowerShell commands during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has gathered system information using systeminfo.(Citation: Avira Mustang Panda January 2020)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) captured victim operating system type via User Agent analysis during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used ipconfig and arp to determine network configuration information.(Citation: Avira Mustang Panda January 2020) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also utilized SharpNBTScan to scan the victim environment.(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used netstat -ano to determine network connection information.(Citation: Avira Mustang Panda January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of \u201c17 03 03\u201d or \u201c46 77 4d\u201d.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has sent malicious links including links directing victims to a Google Drive folder.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Proofpoint TA416 Europe March 2022)(Citation: McAfee Dianxun March 2021) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also utilized webpages with Javascript code that downloads malicious payloads to the victim device.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has sent malicious files requiring direct victim interaction to execute.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Avira Mustang Panda January 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: Recorded Future REDDELTA July 2020)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Proofpoint TA416 Europe March 2022)(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also leveraged executable files that display decoy documents to the victim to provide a resemblance of legitimacy with customized themes related to the victim.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Unit42 Bookworm Nov2015)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)\n\n[Mustang Panda](https://attack.mitre.org/groups/G0129) distributed malicious LNK objects for user execution during [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047).(Citation: Recorded Future RedDelta 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has used DropBox URLs to deliver variants of [PlugX](https://attack.mitre.org/software/S0013).(Citation: Proofpoint TA416 Europe March 2022) [Mustang Panda](https://attack.mitre.org/groups/G0129) has also used Google Drive to host malicious downloads.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Mustang Panda](https://attack.mitre.org/groups/G0129) has executed PowerShell scripts via WMI.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Mustang Panda", "color": "#66b1ff"}, {"label": "used by a campaign attributed to Mustang Panda", "color": "#ff6666"}, {"label": "used by Mustang Panda and used by a campaign attributed to Mustang Panda", "color": "#ff66f4"}]}