top of page
Image by Peter Burdon

Mustang Panda

​​

Mustang Panda (aka Bronze President, RedDelta, HoneyMyte, TA416, Earth Preta, Stately Taurus) is a China-aligned cyber espionage group active since at least 2017 (possibly as early as 2014). Known for spear-phishing and custom malware like PlugX, Cobalt Strike, Hodur, PubLoad, MQsTTang, and ToneShell, they have targeted governments, NGOs, think tanks, religious organizations, and dissident communities worldwide. Their operations closely follow Chinese strategic interests  from monitoring Tibetan and Uyghur groups, to spying on the Vatican, to collecting intel on EU policy during the Ukraine war. Mustang Panda remains highly active in 2025, running global campaigns aligned with Beijing’s geopolitical goals.

Mustang Panda

Aliases: Mustang Panda, Bronze President, RedDelta, HoneyMyte, TA416, Earth Preta, Stately Taurus, Camaro Dragon, Hive0154

​

Origin:  China
 

Years Active: 2017 – Present

 

Motivation: State-sponsored espionage supporting PRC geopolitical, security, and religious policy 

 

Primary Targets: Governments, NGOs, think tanks, minority rights groups, religious institutions, diplomatic entities, international organizations

​

Tactics, Techniques, and Procedures (TTPs)
 

Initial Access: Spear-phishing with LNK-in-ZIP archives, malicious Google Drive/Dropbox links, double extension tricks (.pdf.lnk)

 

Malware Families: PlugX/Korplug (multiple variants), Cobalt Strike Beacon, Hodur, RCSession, ORat, PUBLOAD + PubShell, MQsTTang, ToneShell/ToneIns, Hiupan USB worm

 

Persistence & Evasion: DLL side-loading, decoy documents, HTML smuggling, malicious router firmware (Horse Shell)

 

Post-Exploitation: Credential dumping (Mimikatz), network recon (AdFind, PowerView), lateral movement, data staging in encrypted RAR archives

 

C2: HTTP(S), custom protocols, dynamic DNS, MQTT (MQsTTang), occasionally cloud services

​

​

 

Notable Campaigns & Operations
 

2017 – Mongolia focus: Phishing U.S. think tank with Mongolian themes

2018–19 – NGOs & Asian governments: Mongolian, Indian, and NGO targets compromised at scale

2020 – RedDelta/Vatican: Hacked Catholic Church before China–Vatican deal renewal

2020 – COVID lures: Fake pandemic notices in Vietnam and SE Asia

2021 – Indonesian intelligence hack: Suspected Mustang Panda intrusion into BIN

2022 – Ukraine war espionage: Targeted EU governments and Russian orgs with conflict-themed lures

2022 – Operation SmugX: Stealth campaign against European ministries

2023 – MQsTTang & ASEAN ops: New backdoor deployed; campaigns in Slovakia, Philippines, Myanmar

2025 – Tibetan exile community: Lures tied to Dalai Lama’s 90th birthday, PubLoad malware deployed

​​

 Infrastructure & IOCs

​​

<Currently Compiling >

​

Regional & Geopolitical Context

Tracks PRC priorities: Tibet, Xinjiang, Hong Kong, religion (Vatican), ASEAN neighbors, Belt & Road projects, Ukraine crisis

 

Focus on dissident groups and minority communities (aligned with CCP “Five Poisons” strategy)

 

Likely operates under PRC intelligence direction (MSS links suspected)

​​

Threat Assessment

 

Sophistication: Moderate–High (rapid exploit adoption, custom malware, router implants, USB worms)

​

Current Activity: Highly active as of 2025 across Asia, Europe, and North America​

 

Risk Profile: Governments, NGOs, religious and activist communities, critical industries connected to Chinese interest

 

​
References

CrowdStrike (2018–2021): “Bronze President” reports – early attribution and operations in Mongolia/NGOs.

 

Secureworks (2019): “Bronze President – China-Based Espionage Group Targeting NGOs and Think Tanks” (first public full profile).

 

Recorded Future (Insikt Group, 2020–2024): Multiple reports on RedDelta/Mustang Panda campaigns against Europe, SE Asia, Vatican.

 

Proofpoint (2021): TA416 phishing campaigns; new C2 tools identified.

 

ESET (2021, 2023): Hodur backdoor discovery (2021); MQsTTang backdoor (2023).

 

Trend Micro (2022): “Earth Preta” – documenting large-scale espionage + USB worm Hiupan spreading PUBLOAD.

 

Check Point (2020–2023): Reports on PlugX evolution and Cobalt Strike use.

 

Palo Alto Unit 42 (2022): Operation “SmugX” – European ministries targeted with HTML smuggling.

 

IBM X-Force (2021–2022): Mustang Panda campaigns tied to Belt & Road initiatives.

 

Positive Technologies (2022): PlugX cluster analysis in Russia/Europe.

Campaign Timeline

2014

  Targets: U.S. think tank using Mongolian-themed lures  
  Method: Spear-phishing with malicious documents → PlugX backdoor  
  Impact: Early public attribution to Mustang Panda (aka Bronze President)  
 

2018–2019

Targets:  NGOs, diplomatic entities, Mongolian and Indian gov organizations  
Method: Spear-phishing w/ Google Drive links + LNK droppers → PlugX, Cobalt Strike  
  Impact: Long-term espionage footholds in South & Central Asia 

2020

Targets: Vatican and Catholic Diocese in Hong Kong  
Method: Phishing with religious-themed lures → PlugX  
  Impact: Intelligence collected before China–Vatican diplomatic accord renewal  
 

2020 COVID

 Targets: SE Asian governments (Vietnam, Myanmar)  
  Method: Phishing using pandemic-related lures → PlugX & Cobalt Strike 
  Impact: Espionage aligned with regional COVID policy monitoring  
 

2021

  Targets: Indonesian State Intelligence Agency (BIN)  
  Method: Spear-phishing with PlugX loaders  
  Impact: Sensitive intel breach (unconfirmed, but attributed)  
 

Hodur Malware Campaign

   Targets: EU diplomats, Myanmar-based entities  
  Method: New PlugX variant “Hodur” deployed via phishing  
  Impact: Enhanced persistence + anti-analysis features  
 

2022

 Targets: EU governments, Russian research organizations  
Method: LNK-in-ZIP spear-phishing → PlugX, Cobalt Strike  
Impact: Intelligence gathering during Russia–Ukraine conflict  
 

 Operation SmugX

  Targets: European ministries and diplomatic staff  
  Method: HTML smuggling + PlugX loaders  
  Impact: Stealthy espionage operations across Europe  
 

Earth Preta Campaign

Targets: Global NGOs, telecoms, govs (200+ victims)  
  Method: PUBLOAD downloader + Hiupan USB worm spreading PlugX  
  Impact: Large-scale espionage; strong ASEAN focus  

2023

Targets: Gov entities in Europe & Asia  
Method: Custom backdoor using MQTT messaging protocol  
Impact: Expanded stealth C2 techniques 

ASEAN & European Operations

​  Targets: Slovakia gov network, Philippines, Myanmar NGOs  
  Method: PlugX + PUBLOAD infections  
  Impact: Espionage into regional policy + Belt & Road initiatives  

Horse Shell Router Implant

Targets: Random global TP-Link routers (used as C2 nodes)  
Method: Malicious firmware (Horse Shell)  
Impact: Persistent hidden infrastructure for Mustang Panda ops  

2023

  Targets: Philippines gov, Taiwan research, Pakistan ministries, US gov contractors  
  Method: PlugX, MQsTTang, ToneShell/ToneIns variants  
  Impact: Continued alignment with PRC foreign policy interests  

Tibetan Exile Community Campaign

  Targets: Tibetan NGOs, Dalai Lama-linked groups  
  Method: PubLoad + PubShell malware via decoy documents  
  Impact: Monitoring of exiled communities abroad  

bottom of page