Picus Threat Library Updated for Operation Dianxun Campaign of the Mustang Panda APT Group

Picus Labs has expanded the Picus Threat Library with new simulations that emulate malware and techniques linked to Operation Dianxun, an espionage campaign attributed to Mustang Panda, also known as Bronze President, TEMP.Hex, HoneyMyte, and Red Lich. Active since at least 2014, Mustang Panda is widely assessed as a China-originated threat actor that conducts long running intelligence collection across multiple regions. The group has focused on targets in Asia, Europe, and North America, with a strong emphasis on telecommunications, aviation, government entities, nongovernmental organizations, and think tanks. By reproducing the behaviors seen in Operation Dianxun, these simulations help security teams measure real detection coverage and prioritize fixes based on evidence rather than assumptions.

Reporting on Mustang Panda highlights a consistent toolchain and tradecraft. Campaigns often begin with spearphishing that uses policy themed lures, compressed archives, and shortcut files to deliver loaders and backdoors. Operators rely on custom malware families and well known frameworks for command and control, data staging, and lateral movement, while living off the land techniques and legitimate admin tools reduce their footprint and evade basic detections. The updated Picus content maps these behaviors to MITRE ATT&CK across initial access, persistence, discovery, credential access, command and control, and exfiltration. Organizations can use the scenarios to validate EDR, NDR, and SIEM detections, harden email and web controls, monitor for suspicious archive execution and shortcut abuse, enforce multifactor authentication for administrative and remote access, and segment high value systems. Running these tests on a regular cadence confirms that defenses can detect and contain Mustang Panda activity early, before sensitive information is collected and exfiltrated.

Mustang Panda utilizes a bunch of tools in its attack campaigns, including Red Delta Loader and Cobalt Strike beacons.

Operation Dianxun APT Campaign

This operation has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology [1]. It is believed that the attackers used a phishing website masquerading as the Huawei company career page. This operation uses a dropper which seems like an Adobe Flash Player. This dropper spreads a cobalt strike beacon into victim targets.

Picus Labs has updated the Picus Threat Library with the following malicious documents used in the Operation Dianxun of the Mustang Panda APT group:

Picus ID	Threat Name
778018	Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-1
465445	Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-2
605412	Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-3
434099	Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-4
697029	Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-5

This attack includes downloading a .exe file of a Cobalt Strike Beacon dropper used by the Mustang Panda group in the Dianxun campaign. Operation Dianxun targets telecommunication companies. The tactics, techniques, and procedures (TTPs) used in the attack are like those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. This operation has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology. Samples of this attack are injected into explorer, into remote processes, and interact with the primary disk partition (DR0). They also spawn a lot of processes and modify file/console tracing settings (often used to hide footprints on the system) and read the active computer name. Lastly, these samples try to communicate with C2 servers.

Other Threats of Mustang Panda in Picus Threat Library

Picus Threat Library consists of 7 threats of the Mustang Panda threat group, including:

InstallFlashPlayer Loader Malware used by Mustang Panda Threat Group
RAT Malware used by Mustang Panda Threat Group

MITRE ATT&CK Techniques used by Mustang Panda

T1053 - Scheduled Task
T1047 - Windows Management Instrumentation
T1036 - Masquerading
T1112 - Modify Registry
T1406 - Obfuscation of Files or Information
T1218.011 - Signed Binary Proxy Execution
T1518 - Software Discovery

References

[1] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-operation-dianxun/

Operation Dianxun is an espionage campaign conducted by the Mustang Panda APT Group targeting companies related to 5G technology using methods like a phishing website and malware droppers.

The Mustang Panda APT Group, also known as Bronze President, TEMP.Hex, HoneyMyte, and Red Lich, is a China-originated threat actor active since 2014, targeting sectors like telecommunications, aviation, government, NGOs, and think tanks.

Mustang Panda utilizes tactics such as phishing, using droppers disguised as Adobe Flash Player, and deploying Cobalt Strike Beacons to access sensitive data and spy on targets.

Mustang Panda uses a Cobalt Strike Beacon Downloader, which is a type of malware dropper, in the Dianxun campaign.

The Picus Threat Library includes threats like InstallFlashPlayer Loader Malware, RAT Malware, and various MITRE ATT&CK techniques used by Mustang Panda.

The MITRE ATT&CK techniques associated with Mustang Panda include T1053 - Scheduled Task, T1047 - Windows Management Instrumentation, T1036 - Masquerading, T1112 - Modify Registry, and more.

Users can customize their cookie preferences and change their default settings through 'Cookie Settings' on the Picus Security website.

Picus Security can be contacted via their email info@picussecurity.com for support or inquiries, and meetings can be scheduled through their website.