Picus Labs has expanded the Picus Threat Library with new simulations that emulate malware and techniques linked to Operation Dianxun, an espionage campaign attributed to Mustang Panda, also known as Bronze President, TEMP.Hex, HoneyMyte, and Red Lich. Active since at least 2014, Mustang Panda is widely assessed as a China-originated threat actor that conducts long running intelligence collection across multiple regions. The group has focused on targets in Asia, Europe, and North America, with a strong emphasis on telecommunications, aviation, government entities, nongovernmental organizations, and think tanks. By reproducing the behaviors seen in Operation Dianxun, these simulations help security teams measure real detection coverage and prioritize fixes based on evidence rather than assumptions.
Reporting on Mustang Panda highlights a consistent toolchain and tradecraft. Campaigns often begin with spearphishing that uses policy themed lures, compressed archives, and shortcut files to deliver loaders and backdoors. Operators rely on custom malware families and well known frameworks for command and control, data staging, and lateral movement, while living off the land techniques and legitimate admin tools reduce their footprint and evade basic detections. The updated Picus content maps these behaviors to MITRE ATT&CK across initial access, persistence, discovery, credential access, command and control, and exfiltration. Organizations can use the scenarios to validate EDR, NDR, and SIEM detections, harden email and web controls, monitor for suspicious archive execution and shortcut abuse, enforce multifactor authentication for administrative and remote access, and segment high value systems. Running these tests on a regular cadence confirms that defenses can detect and contain Mustang Panda activity early, before sensitive information is collected and exfiltrated.
Mustang Panda utilizes a bunch of tools in its attack campaigns, including Red Delta Loader and Cobalt Strike beacons.
This operation has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology [1]. It is believed that the attackers used a phishing website masquerading as the Huawei company career page. This operation uses a dropper which seems like an Adobe Flash Player. This dropper spreads a cobalt strike beacon into victim targets.
Picus Labs has updated the Picus Threat Library with the following malicious documents used in the Operation Dianxun of the Mustang Panda APT group:
|
Picus ID |
Threat Name |
|
778018 |
Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-1 |
|
465445 |
Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-2 |
|
605412 |
Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-3 |
|
434099 |
Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-4 |
|
697029 |
Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-5 |
This attack includes downloading a .exe file of a Cobalt Strike Beacon dropper used by the Mustang Panda group in the Dianxun campaign. Operation Dianxun targets telecommunication companies. The tactics, techniques, and procedures (TTPs) used in the attack are like those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. This operation has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology. Samples of this attack are injected into explorer, into remote processes, and interact with the primary disk partition (DR0). They also spawn a lot of processes and modify file/console tracing settings (often used to hide footprints on the system) and read the active computer name. Lastly, these samples try to communicate with C2 servers.
Picus Threat Library consists of 7 threats of the Mustang Panda threat group, including:
References
[1] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-operation-dianxun/