Mustang Panda targets European diplomats using enhanced PlugX backdoor

Threat Advisories

Mustang Panda targets European diplomats using enhanced PlugX backdoor


For a detailed advisory, download the pdf file here

Mustang Panda, a Chinese cyberespionage group, has been targeting European diplomats with a revised version of the PlugX backdoor in an ongoing campaign linked to the ongoing conflict in Ukraine. The group, also known as RedDelta and TA416, has previously been observed targeting entities associated with the Vatican-Chinese Communist Party diplomatic ties, as well as other critical sectors in Asia, Europe, and the United States.

The group has been observed distributing phishing emails including links to dangerous Zip files housed on Dropbox. If the files are opened, they finally lead to the execution of PlugX on the victim’s device. Web bugs are used to profile users before distributing a variety of PlugX malware payloads through malicious URLs.  Previously, DLL search order hijacking was used to deploy PlugX, but in newer operations, the threat actor shifted to employing potplayermini.exe to start the hijacking process. In addition, the attackers improved the encoding process of their virus and enhanced its configuration possibilities.

The TTPs commonly used by Mustang Panda are:

TA0042 – Resource Development       
TA0001 – Initial Access       
TA0002 – Execution       
TA0003 – Persistence       
TA0004 – Privilege Escalation       
TA0005 – Defense Evasion       
TA0006 – Credential Access       
TA0007 – Discovery       
TA0008 – Lateral Movement       
TA0009 – Collection       
TA0011 – Command and Control
TA0010 – Exfiltration
T1583.001: Acquire Infrastructure: Domains
T1071.001: Application Layer Protocol: Web Protocols
T1560.001: Archive Collected Data: Archive via Utility
T1560.003: Archive Collected Data: Archive via Custom Method
T1119: Automated Collection
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1059.001: Command and Scripting Interpreter: PowerShell
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1059.005: Command and Scripting Interpreter: Visual Basic
T1074.001: Data Staged: Local Data Staging
T1573.001: Encrypted Channel: Symmetric Cryptography
T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1052.001: Exfiltration Over Physical Medium: Exfiltration over USB
T1203: Exploitation for Client Execution T1083: File and Directory Discovery
T1564.001: Hide Artifacts: Hidden Files and Directories
T1574.002: Hijack Execution Flow: DLL Side-Loading
T1070.004: Indicator Removal on Host: File Deletion
T1105: Ingress Tool Transfer
T1036.005: Masquerading: Match Legitimate Name or Location
T1036.007: Masquerading: Double File Extension
T1027: Obfuscated Files or Information
T1027.001: Binary Padding
T1003.003: OS Credential Dumping: NTDS
T1566.001: Phishing: Spearphishing Attachment
T1566.002: Phishing: Spearphishing Link
T1057: Process Discovery
T1219: Remote Access Software
T1091: Replication Through Removable Media
T1053.005: Scheduled Task/Job: Scheduled Task
T1218.004: Signed Binary Proxy Execution: InstallUtil
T1218.005: Signed Binary Proxy Execution: Mshta
T1518: Software Discovery
T1082: System Information Discovery
T1016: System Network Configuration Discovery
T1049: System Network Connections Discovery
T1204.001: User Execution: Malicious Link
T1204.002: User Execution: Malicious File
T1047: Windows Management Instrumentation

Actor Details


Indicators of Compromise (IoCs)