top of page
Image by ayumi kubo

Mustang Panda

Malware Dissection Playbook

Mustang Panda has consistently used DLL sideloading techniques to deliver PlugX malware in SEA campaigns. These loaders rely on pairing a legitimate signed executable with a malicious DLL of the same name placed in the same folder. Targets often include governments, NGOs, telecoms, and think tanks in Philippines, Vietnam, Myanmar, and Cambodia.

Analysis

1. Victim opens archive (ZIP/RAR) → double-clicks signed EXE.

2. EXE searches for DLL in local folder → loads attacker DLL.

3. DLL decrypts embedded PlugX payload in memory.

4. PlugX connects to C2 for commands.

Execution Chain

Persistence

  • Registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)

  • Scheduled Tasks mimicking updater jobs.

Evasion

  • Anti-debug: IsDebuggerPresent, timing delays.

  • Anti-VM: CPUID checks, virtual NIC names.

  • Obfuscation: String encoding, config encryption

Netowkring

  • HTTP(S) GET/POST requests with fake update paths.

  • User-Agent impersonation (often 'Mozilla/5.0').- C2 rotation with disposable domains

IOC's and Artifacts 

This collection highlights key artifacts and IOCs we consider most relevant for analysts developing detection rules or conducting research. For YARA rules, please refer to the community repository.

 

Note: We do not publish or accept file hashes unless they are used to illustrate a specific malware technique or reference research (either our own analysis or external sources). Our focus is on dynamic detection logic and deeper research, rather than relying solely on static indicators.

File Artifacts (DLL Sideloading):

  • Rundll32.exe → loads fake DLL

  • McAfee.exe + McUtil.dll (common sideload pair)

  • NVIDIA.exe + NvSmartMax.dll

  • AVP.exe (Kaspersky) + avpm.dll

 

Staging locations often:

  • %AppData%\Roaming\

  • %AppData%\Local\Temp\

  • %ProgramData%\

  • %SystemRoot%\System32\Tasks\

​

Registry Persistence:

  • Run Key Persistence

    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate → points to sideloaded EXE

​

Service Install:

  • HKLM\SYSTEM\CurrentControlSet\Services\PlugX

​

Scheduled Tasks:

  • Task names mimicking update services:

    • Windows Update Service

    • Adobe Acrobat Update

​

  • Domains:

    • hxxp://update-check.org

    • hxxp://windows-updates.net

    • hxxp://cdn-support.org

    • hxxp://mail-office365.org

  • IPs:

    • hxxp://103.27.202.56 

    • hxxp://203.131.222.102

    • hxxp://45.114.11.122

​

Patterns:

  • HTTP with fake updater paths:

    • /update/get

    • /download/service

  • User-Agent strings:

    • Mozilla/5.0 (generic spoofing)

    • Sometimes random combinations of Chrome/IE versions.

Refrences:

Kaspersky Securelist: PlugX in SEA espionage campaigns 

ASEAN Cybersecurity Centre of Excellence reports (PlugX, Mustang Panda activity across PH/VN/MM).

Recorded Future: Mustang Panda Targets SEA Governments (2019–2021).
Secureworks CTU: Threat Group TA416 Deploys New PlugX Variant (2020).
Cisco Talos: Mustang Panda Leveraging PlugX (2022).

SentinelLabs: Mustang Panda Campaigns Target EU & SEA (2022).

FireEye (now Mandiant): PlugX Malware Variants — deep dive into how PlugX loaders evolve.

Trend Micro: DLL Side-Loading as an Attack Vector (includes PlugX examples).

Palo Alto Unit42: PlugX Malware Using DLL Side-Loading (2017–2019 campaigns).

bottom of page