THREATOPS Actor Dossier
LIVE ← Dashboard

Mustang Panda

G01292 reports
aliases · Mustang Panda · TA416 · RedDelta · BRONZE PRESIDENT · STATELY TAURUS · FIREANT · CAMARO DRAGON · EARTH PRETA · HIVE0154 · TWILL TYPHOON · TANTALUM · LUMINOUS MOTH · UNC6384 · TEMP.Hex · Red Lich · ClumsyToad
Export dossier:
2
Reports
12
Techniques
4
Tactics
8
Countries
32%
Hunt coverage
16
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1588.006 (Vulnerabilities), T1583 (Acquire Infrastructure), T1592 (Gather Victim Host Information).
  • Primary targeting: CN, KR, JP, TW.
  • Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
  • Hunt coverage 32% of 47 observed techniques (32 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2026-02-20 · last 2026-05-11
0
7d
0
30d
1
90d
2
All
0.1
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

Dropped (90d+)
T1583.002T1021.007T1059.001T1584.002T1027.015

Vulnerabilities in this actor's reporting · 2

Overview

Analyst triage
Intelligence summary

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. (Citation: BlackBerry MUSTANG PANDA October 2022)(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)(Citation: Zscaler)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected