Attack Anatomy
Mustang Panda deploys evasive, multi-stage malware for intelligence gathering (Attack Anatomy)
The APT group designated Mustang Panda has targeted governments around the world, including the U.S., Mongolia, Myanmar, Hong Kong, Japan, and Thailand.
Howard Poston,
Jan 27
2025
Mustang Panda is believed to be a Chinese state-sponsored threat actor operating since at least 2012 specializing in cyber espionage.
The malware and precise techniques that Mustang Panda uses have shifted over time and from one campaign to another. However, their overall strategy of using multi-stage malware and DLL Side-Loading, and their preferred malware—PlugX—have stayed relatively constant for the last decade.
This is the fourth article in our Attack Anatomy series, which examines a cyberattack or a threat actor through the lens of the MITRE ATT&CK framework.
Like other posts in the Attack Anatomy series, this article overviews the techniques used by Mustang Panda and maps them to Hack The Box (HTB) resources for teams to gain hands-on experience with attacking and defending.
|
Mustang Panda Action |
MITRE ATT&CK Technique |
HTB Academy Modules |
Pentesting Labs |
Defensive Labs |
|
Malicious archive files attached to emails |
||||
|
Tricking users into executing programs |
||||
|
.url attachments on phishing emails |
Understanding Log Sources & Investigating with Splunk Loading Preview... |
|||
|
Load malware into legitimate process via DLL Side-Loading |
T1574.002 Hijack Execution Flow DLL Side-Loading Loading Preview... |
|||
|
Encrypting PlugX and other malware |
||||
|
Digitally-signed DOWNBAIT malware |
T1553.002 Subvert Trust Controls: Code Signing Loading Preview... |
|||
|
Loading downloaded PULLBAIT shellcode into memory |
Introduction to Windows Evasion Techniques Loading Preview... |
|||
|
Compress collected data in archive files for exfiltration |
Test or defend systems against Mustang Panda’s techniques
HorsePanda is a threat-informed lab that focuses on simulating an APT campaign based on the techniques employed by Mustang Panda, including phishing and DLL side-loading.
This lab provides a simplified yet realistic environment for your security team to practice the fundamentals of the attack (crafting a RAR file containing a Windows shortcut disguised as a Word document, which points to a legitimate signed executable accompanied by a malicious DLL).
HorsePanda-D, on the other hand, is a defensive lab that requires your team to investigate a system that has been compromised by a threat group employing techniques from Mustang Panda and Uroburos rootkit. This lab helps fortify your organization’s defenses, investigate security breaches, and identify the attack path to create effective detection rules.
When my manager tasked me with creating a lab based on a real-world APT campaign, I immediately thought of Mustang Panda.
Their attacks, while being highly relevant in the current landscape, are based on a few fundamental principles that can be easily demonstrated in a beginner-focused training program.
To this end, I chose to simplify the malware development stage by disabling some common protections typically enabled on production systems, in order to keep the focus on the attack vector itself and the way users are manipulated into executing the payload.
I believe this approach is particularly beneficial for beginners, as it offers an insight into how threat actors think and operate without overwhelming them with technical details.
polarbearer, (lab creator of HorsePanda)
As soon as I learned about the Mustang Panda simulation, I started researching their techniques and found their initial access method particularly intriguing.
This led me to think about other fascinating attacker strategies, and the Uroburos rootkit—my previous simulation—came to mind.
I developed a Sherlock scenario combining these two unique attacker techniques, allowing players to create detection rules in their environments to identify similar threats in the future.
Kartik Durg (iamr007), Defensive Content Engineer (lab creator of HorsePanda -D)
Inside Mustang Panda attack campaigns
Note💡: While we have a pretty good idea of the techniques and tools that Mustang Panda has used during their attacks, we are not certain and not everything has been confirmed by affected parties. So, this anatomy is alleging these techniques based on public reporting.
Initial access
Historically, Mustang Panda has commonly used spear phishing attacks to gain initial access to a target environment. These attacks commonly involve phishing emails containing Google Drive links with pretexts tied to current events.
For example, the Blackberry Research and Intelligence Team reported an attack campaign Loading Preview... Loading Preview...
A 2023 attack campaign reported by Trend Micro Loading Preview... Loading Preview...
The attack then downloaded the PUBLOAD malware from the attacker’s command and control (C2) server to set up the next stage of the attack.
Malware download
Depending on the attack campaign, Mustang Panda may include different types of files within its spear-phishing email or infected USB drive. Some payloads include an archive file, such as RAR, ZIP, or others, containing several files.
One of these is typically an LNK (shortcut) file pointing to a legitimate executable within the archive. These LNK files often use double extensions to appear to be the document indicated by the malicious email.
For example, a document might be named Doc.docx.exe but appear to be Doc.docx if the user has extensions hidden in Windows Explorer. When a user opens the document, the indicated executable is run instead (ATT&CK User Execution: Malicious File Loading Preview...
The group has also used .url attachments on a phishing email (ATT&CK Phishing: Spearphishing Link Loading Preview...
DLL sideloading
Mustang Panda’s preferred attack chain uses DLL Side-Loading (ATT&CK Hijack Execution Flow DLL Side-Loading Loading Preview...
This technique takes advantage of the order in which the Windows OS looks for a DLL when an executable attempts to load it.
The first place the OS checks is the folder where the executable is located, meaning that any malicious DLL files stored alongside a legitimate executable will get loaded into and run by the legitimate program.
Mustang Panda payloads commonly contain a legitimate Windows executable, such as UsbConfig.exe. They will also contain a malicious version of an actual DLL file used by that executable, such as u2ec.dll. When the user opens the malicious executable, their OS executes the legitimate program, which then loads the malicious DLL.
This technique helps to cover the attacker’s tracks, since the legitimate executable is what appears when a user or administrator examines all the running processes in Windows Task Manager. However, the malicious code is still running, just behind the scenes.
Multi-stage malware infection
Generally, Mustang Panda’s attacks involve multi-stage malware with various capabilities. Typically, this involves an initial malicious program that downloads and runs others.
The attack chain includes code that decodes malware that was downloaded as or stored in an encrypted form to evade detection (MITRE ATT&CK Obfuscated Files or Information Loading Preview...
While the overall structure of the attack chain remains fairly constant, the malware Mustang Panda uses in their attacks can vary. For example, a different spear-phishing campaign that Trend Micro observed Loading Preview...
-
DOWNBAIT: Digitally-signed downloader malware (ATT&CK Subvert Trust Controls: Code Signing
Loading Preview...
) that is downloaded from a .url attachment in an email. -
PULLBAIT: Shellcode malware downloaded by DOWNBAIT and executed in memory (ATT&CK Process Injection
Loading Preview...
) to prevent it from being detected on disk. This malware goes on to download CBROVER. -
CBROVER: Backdoor malware used to download PlugX.
-
PlugX: PlugX is a modular remote access trojan (RAT). The core malware grants the attacker remote control over the device and can download additional modules to add other desired features.
-
FILESAC: File collector tool that collects and exfiltrates document and image files after compressing them into an archive file (ATT&CK Archive Collected Data
Loading Preview...
).
Other campaigns use different collections of malware, including Cobalt Strike (pentesting tool with potential for malicious uses), PUBLOAD (downloader and network mapper), FDMTP (downloader), and PTSOCKET (exfiltration).
However, most campaigns use PlugX, even if the collection of loaders and stagers the attackers used to deliver it may vary from one campaign to the next.
Prepare for emerging threats with HTB
Hack The Box’s workforce development programs map to frameworks like MITRE ATT&CK, MITRE D3FEND, and NIST NICE, providing hands-on experience with various techniques.
Instead of just reading about how a technique works, security teams can perform or defend against the attack in a realistic environment. This leads to a deeper understanding and an enhanced ability to manage threats within their enterprise environments.
ContentsLatest News
