Mustang Panda
G01292 reportsAnalyst assessment — key judgments
- Signature techniques: T1588.006 (Vulnerabilities), T1583 (Acquire Infrastructure), T1592 (Gather Victim Host Information).
- Primary targeting: CN, KR, JP, TW.
- Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
- Hunt coverage 32% of 47 observed techniques (32 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
Movement — last 30 days
Vulnerabilities in this actor's reporting · 2
- CVE-2025-55182KEV1 rpt
- CVE-2026-42897KEV1 rpt
Overview
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. (Citation: BlackBerry MUSTANG PANDA October 2022)(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)(Citation: Zscaler)
ATT&CK technique matrix
- T1588.006 · Vulnerabilitiesconf 652
- T1583 · Acquire Infrastructureconf 601
- T1592 · Gather Victim Host Informationconf 601
- T1588.007 · Artificial Intelligenceconf 601
- T1590.005 · IP Addressesconf 601
- T1587.001 · Malwareconf 601
- T1592.001 · Hardwareconf 601
- T1195 · Supply Chain Compromiseconf 601
- T1684 · Social Engineeringconf 601
- T1036 · Masqueradingconf 601
- T1027.016 · Junk Code Insertionconf 601
- T1591.002 · Business Relationshipsconf 601
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|