Trusted Design

Mustang Panda

アクターID: G0129

· MITRE Pageへのリンク

脅威アクターの詳細

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. (Citation: BlackBerry MUSTANG PANDA October 2022)(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)(Citation: Zscaler)

脅威アクターの別名・別称

Mustang Panda
TA416
RedDelta
BRONZE PRESIDENT
STATELY TAURUS
FIREANT
CAMARO DRAGON
EARTH PRETA
HIVE0154
TWILL TYPHOON
TANTALUM
LUMINOUS MOTH
UNC6384
TEMP.Hex
Red Lich

利用した攻撃手法

• T1053.005 - Scheduled Task
• T1560.001 - Archive via Utility
• T1047 - Windows Management Instrumentation
• T1037 - Boot or Logon Initialization Scripts
• T1597.002 - Purchase Technical Data
• T1003 - OS Credential Dumping
• T1546.013 - PowerShell Profile
• T1053.007 - Container Orchestration Job
• T1016.001 - Internet Connection Discovery
• T1596.001 - DNS/Passive DNS
• T1116 - Code Signing
• T1218.013 - Mavinject
• T1013 - Port Monitors
• T1606.002 - SAML Tokens
• T1587.001 - Malware
• T1087.002 - Domain Account
• T1071.005 - Publish/Subscribe Protocols
• T1542.005 - TFTP Boot
• T1543.003 - Windows Service
• T1588.006 - Vulnerabilities
• T1566.002 - Spearphishing Link
• T1598.003 - Spearphishing Link
• T1089 - Disabling Security Tools
• T1487 - Disk Structure Wipe
• T1103 - AppInit DLLs
• T1120 - Peripheral Device Discovery
• T1590.003 - Network Trust Dependencies
• T1058 - Service Registry Permissions Weakness
• T1059.010 - AutoHotKey & AutoIT
• T1024 - Custom Cryptographic Protocol
• T1091 - Replication Through Removable Media
• T1098.007 - Additional Local or Domain Groups
• T1546.011 - Application Shimming
• T1567.004 - Exfiltration Over Webhook
• T1062 - Hypervisor
• T1555.003 - Credentials from Web Browsers
• T1183 - Image File Execution Options Injection
• T1546.005 - Trap
• T1136.001 - Local Account
• T1092 - Communication Through Removable Media
• T1590.006 - Network Security Appliances
• T1593.002 - Search Engines
• T1055.013 - Process Doppelgänging
• T1562.006 - Indicator Blocking
• T1677 - Poisoned Pipeline Execution
• T1219.001 - IDE Tunneling
• T1055.004 - Asynchronous Procedure Call
• T1612 - Build Image on Host
• T1218.012 - Verclsid
• T1569.001 - Launchctl
• T1102 - Web Service
• T1608 - Stage Capabilities
• T1608.005 - Link Target
• T1583.006 - Web Services
• T1204 - User Execution
• T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
• T1087.004 - Cloud Account
• T1497.002 - User Activity Based Checks
• T1679 - Selective Exclusion
• T1102.003 - One-Way Communication
• T1169 - Sudo
• T1199 - Trusted Relationship
• T1136.003 - Cloud Account
• T1059.011 - Lua
• T1218.010 - Regsvr32
• T1056 - Input Capture
• T1203 - Exploitation for Client Execution
• T1567.002 - Exfiltration to Cloud Storage
• T1591.004 - Identify Roles
• T1565.002 - Transmitted Data Manipulation
• T1070.009 - Clear Persistence
• T1556.005 - Reversible Encryption
• T1027.010 - Command Obfuscation
• T1134 - Access Token Manipulation
• T1209 - Time Providers
• T1159 - Launch Agent
• T1071.001 - Web Protocols
• T1547.013 - XDG Autostart Entries
• T1526 - Cloud Service Discovery
• T1055.005 - Thread Local Storage
• T1105 - Ingress Tool Transfer
• T1548.006 - TCC Manipulation
• T1027.018 - Invisible Unicode
• T1564.001 - Hidden Files and Directories
• T1556 - Modify Authentication Process

関連するCVE (攻撃手法に関連)

• CVE-2015-4495 (T1218.010)
• CVE-2015-5749 (T1569.001)
• CVE-2016-1898 (T1027.018)
• CVE-2016-1897 (T1027.018)
• CVE-2015-7261 (T1027.018)
• CVE-2015-6036 (T1027.018)
• CVE-2015-7262 (T1218.012)
• CVE-2015-0932 (T1218.012)
• CVE-2010-3081 (T1209)
• CVE-2017-16929 (T1027.018)
• CVE-2025-31125 (T1027.018)
• CVE-2025-68645 (T1027.018)
• CVE-2014-4114 (T1027.018)
• CVE-2017-0143 (T1027.018)
• CVE-2015-5119 (T1027.018)
• CVE-2015-2546 (T1027.018)
• CVE-2015-7645 (T1027.018)
• CVE-2017-12149 (T1027.018)
• CVE-2015-3090 (T1027.018)
• CVE-2015-3113 (T1218.010)
• CVE-2014-6271 (T1027.018)
• CVE-2016-1010 (T1027.018)
• CVE-2016-1019 (T1218.012)
• CVE-2016-0984 (T1027.018)
• CVE-2016-1001 (T1218.010)
• CVE-2016-0998 (T1027.018)
• CVE-2015-5130 (T1027.018)
• CVE-2015-5134 (T1027.018)
• CVE-2015-5539 (T1027.018)
• CVE-2015-5557 (T1027.018)
• CVE-2015-5563 (T1027.018)
• CVE-2015-5559 (T1027.018)
• CVE-2015-5540 (T1027.018)
• CVE-2015-5561 (T1027.018)
• CVE-2015-5551 (T1027.018)
• CVE-2015-5564 (T1027.018)
• CVE-2015-5565 (T1027.018)
• CVE-2015-5550 (T1027.018)
• CVE-2015-5566 (T1027.018)
• CVE-2015-5127 (T1027.018)
• CVE-2015-5556 (T1027.018)
• CVE-2015-2852 (T1027.018)
• CVE-2015-7755 (T1218.010)
• CVE-2016-1287 (T1218.012)
• CVE-2016-9494 (T1027.018)
• CVE-2025-55182 (T1027.018)
• CVE-2012-1258 (T1209)
• CVE-2014-7911 (T1569.001)
• CVE-2013-6282 (T1218.012)
• CVE-2013-0074 (T1027.018)
• CVE-2014-8439 (T1209)
• CVE-2014-0569 (T1219.001)
• CVE-2015-0310 (T1055.005)
• CVE-2014-0556 (T1027.018)
• CVE-2015-5560 (T1219.001)
• CVE-2014-9163 (T1209)
• CVE-2014-8440 (T1027.018)
• CVE-2010-0738 (T1102)
• CVE-2010-0232 (T1027.018)
• CVE-2014-3393 (T1565.002)
• CVE-2014-3897 (T1027.018)
• CVE-2011-0611 (T1591.004)
• CVE-2017-0001 (T1027.018)
• CVE-2023-1389 (T1027.018)
• CVE-2025-24893 (T1027.018)
• CVE-2025-34026 (T1027.018)
• CVE-2025-55183 (T1027.018)
• CVE-2025-55184 (T1027.018)
• CVE-2025-66478 (T1219.001)
• CVE-2016-2343 (T1218.012)
• CVE-2016-6532 (T1136.003)
• CVE-2014-0322 (T1027.018)
• CVE-2015-2419 (T1027.018)
• CVE-2016-0189 (T1027.018)
• CVE-2013-3906 (T1218.010)
• CVE-2010-1553 (T1027.018)
• CVE-2014-4322 (T1055.005)
• CVE-2010-0806 (T1027.018)
• CVE-2009-3129 (T1027.018)
• CVE-2025-13928 (T1218.012)
• CVE-2015-3043 (T1027.018)
• CVE-2016-1990 (T1218.012)
• CVE-2016-1991 (T1203)
• CVE-2015-2854 (T1027.018)
• CVE-2015-2853 (T1027.018)
• CVE-2016-1562 (T1218.012)
• CVE-2012-0507 (T1027.018)
• CVE-2013-2465 (T1027.018)
• CVE-2013-7331 (T1548.006)
• CVE-2016-4117 (T1218.010)
• CVE-2015-1770 (T1027.018)
• CVE-2015-2545 (T1027.018)
• CVE-2017-0199 (T1027.018)
• CVE-2012-0158 (T1027.018)
• CVE-2014-6352 (T1027.010)
• CVE-2015-0016 (T1027.018)
• CVE-2010-3333 (T1027.018)
• CVE-2010-0188 (T1027.018)
• CVE-2010-2884 (T1591.004)
• CVE-2013-0640 (T1591.004)
• CVE-2015-0071 (T1027.018)
• CVE-2015-3628 (T1218.010)
• CVE-2012-4969 (T1027.018)
• CVE-2014-6324 (T1564.001)
• CVE-2015-5122 (T1027.018)
• CVE-2015-1427 (T1569.001)
• CVE-2012-1856 (T1027.018)
• CVE-2014-6332 (T1027.018)
• CVE-2015-3785 (T1218.012)
• CVE-2015-5897 (T1087.004)
• CVE-2015-3456 (T1055.005)
• CVE-2015-2590 (T1027.018)
• CVE-2015-2424 (T1027.018)
• CVE-2015-5477 (T1218.012)
• CVE-2014-1761 (T1218.010)
• CVE-2015-2502 (T1027.018)
• CVE-2013-2094 (T1027.018)
• CVE-2014-4113 (T1027.018)
• CVE-2015-8562 (T1027.018)
• CVE-2015-7808 (T1203)
• CVE-2012-1889 (T1218.012)
• CVE-2015-1641 (T1027.018)
• CVE-2015-1701 (T1027.018)
• CVE-2015-0313 (T1027.018)
• CVE-2015-0359 (T1027.018)
• CVE-2014-0329 (T1027.018)
• CVE-2015-6034 (T1055.004)
• CVE-2015-6022 (T1027.018)
• CVE-2015-8286 (T1565.002)
• CVE-2015-8287 (T1218.010)
• CVE-2016-2342 (T1209)
• CVE-2017-0263 (T1027.018)
• CVE-2017-0261 (T1027.018)
• CVE-2017-0262 (T1027.018)
• CVE-2016-9496 (T1027.018)
• CVE-2016-9495 (T1027.018)
• CVE-2017-3212 (T1218.012)
• CVE-2025-61882 (T1566.002)
• CVE-2015-0311 (T1027.018)
• CVE-2012-0056 (T1569.001)
• CVE-2012-3213 (T1027.018)
• CVE-2012-4792 (T1027.018)
• CVE-2015-0336 (T1027.018)
• CVE-2011-3544 (T1027.018)
• CVE-2014-3153 (T1218.010)
• CVE-2015-3636 (T1608.005)
• CVE-2015-3105 (T1218.010)
• CVE-2014-0497 (T1218.010)
• CVE-2014-8361 (T1556.005)
• CVE-2017-17215 (T1027.018)
• CVE-2013-2551 (T1027.018)
• CVE-2014-0515 (T1218.010)
• CVE-2012-4681 (T1027.018)
• CVE-2014-1776 (T1027.018)
• CVE-2012-1876 (T1027.018)
• CVE-2015-0057 (T1027.018)
• CVE-2012-2539 (T1027.018)
• CVE-2012-1723 (T1027.018)
• CVE-2015-1761 (T1027.018)
• CVE-2013-3660 (T1027.018)
• CVE-2010-1297 (T1027.018)
• CVE-2015-2360 (T1027.018)
• CVE-2014-4148 (T1027.018)
• CVE-2011-3402 (T1027.018)
• CVE-2010-2883 (T1209)
• CVE-2013-0634 (T1218.012)
• CVE-2014-7247 (T1027.018)
• CVE-2012-5054 (T1218.012)
• CVE-2013-2678 (T1027.018)
• CVE-2015-2426 (T1027.018)
• CVE-2008-1436 (T1567.002)
• CVE-2010-4398 (T1027.018)
• CVE-2013-0641 (T1591.004)
• CVE-2012-6422 (T1055.005)
• CVE-2013-2595 (T1055.005)
• CVE-2014-2273 (T1218.012)
• CVE-2015-4902 (T1027.018)
• CVE-2015-2387 (T1027.018)
• CVE-2011-1255 (T1027.018)
• CVE-2013-5990 (T1027.018)
• CVE-2017-8570 (T1027.018)
• CVE-2012-0611 (T1027.018)
• CVE-2017-7255 (T1134)
• CVE-2025-13335 (T1218.012)
• CVE-2025-13927 (T1218.012)
• CVE-2025-54313 (T1569.001)
• CVE-2026-0723 (T1218.012)
• CVE-2026-1102 (T1218.012)
• CVE-2026-20127 (T1027.018)
• CVE-2015-0097 (T1027.018)
• CVE-2015-6585 (T1569.001)
• CVE-2010-2572 (T1027.018)

Actor – Pulse グラフ

---

← 脅威アクター一覧に戻る