Mustang Panda Targets Europe

Industry: Government, Non-Governmental Organization, Think Tanks | Level: Tactical | Source: Cisco Talos

Activity from Chinese threat actor, Mustang Panda has been tracked by Cisco Talos with the group targeting U.S, Asia, and European entities, in addition to Russian organizations. The phishing campaign employed by Mustang Panda has utilized themes for COVID-19, political matters, and current events. Activity from this campaign was observed in February 2022, coinciding with the start of the Russian and Ukraine conflict. Some phishing themes have reported on the border situations in Ukraine and Belarus. The malware deployed in the campaign is PlugX, a remote access trojan. Threat activities involve the use of multiple shells and beacons, with the group's goal in these campaigns to conduct espionage. The tactics, techniques, and procedures from the group have been observed with a benign executable to initiate DLL sideloading, a malicious DLL loader, the PlugX implant, and the use of various stagers and reverse shells.

• Anvilogic Scenario: Mustang Panda - LNK-based Infection Chain
• Anvilogic Use Cases:
• Malicious Document Execution
• Executable Process from Suspicious Folder
• Windows Copy Files
• Executable Create Script Process
• Compressed File Execution
• Suspicious File written to Disk
• New AutoRun Registry Key
• Rundll32 Command Line
• Create/Modify Schtasks
• Meterpreter Reverse Shell
• Symbolic OR Hard File Link Created
• Wscript/Cscript Execution
• Registry key added with reg.exe
• Executable File Written to Disk