Mustang Panda Threat Brief (2026)

 

Mustang Panda Threat Brief

Mustang Panda (a.k.a. TA416/RedDelta/BRONZE PRESIDENT) is a prolific Chinese state-aligned espionage group. Confirmed activity includes highly targeted spearphishing of governments, diplomats, NGOs, and critical infrastructure, primarily in Asia (Mongolia, Vietnam, Myanmar, etc.) but also in Europe and the U.S.. Threat actors use DLL sideloading chains (signed legitimate EXEs loading malicious DLLs) to deploy backdoors such as PlugX (Korplug), custom loaders (e.g. COOLCLIENT), ToneShell (TOneShell), Claimloader/Pubload, and even a USB worm (“SnakeDisk”). Network stealth is notable: Mustang Panda leverages “FakeTLS” padding in its ToneShell communications and routs traffic through large proxy meshes or compromised home routers (“ORB networks”) to mask C2 servers.
The supplied “threat brief” contains fabricated or unsubstantiated elements. No public CTI source mentions campaigns named Amber Tentacle, Emerald Fox, or Diplomatic Drift (confidence: High) – these appear invented. Tools like “Thor loader” and “MANGOPUNCH” are not documented; nor are LinkedIn/Slack token deliveries or PNG steganography for C2. In contrast, verified TTPs include PLUGX implants via side-loaded DLLs, the COOLCLIENT backdoor (recently updated), the ToneShell backdoor (with FakeTLS), the StarProxy lateral tool (injected via IsoBurner.exe/StarBurn.dll), and the SnakeDisk USB worm. Targets and lures are consistent with prior cases: geopolitical-themed lures (e.g. Ukraine war, AUKUS) and emails or links to documents tailored to the victim’s interests.
Key mitigations (behavioral detection, segmentation, application control) align with NIST/CISA guidance. For example, configure endpoint controls (AppLocker/WDAC) to block unsigned DLLs loaded by signed system binaries and enforce device-control policies to neutralize USB-based propagation (the “SnakeDisk” worm). Hunt for abnormal use of signed utilities (e.g. odbcconf.exe, IsoBurner.exe) loading DLLs from user directories, and look for Beacons with FakeTLS headers as indicators of ToneShell/StarProxy. The appended table and flowchart summarize claims vs. confirmed findings, and the recommendations section maps detections to ATT&CK and NIST controls.

Claim	Verified?	Evidence/Source	Confidence	Notes (Provenance or Likely Fabrication)
Campaign “AMBER TENTACLE” (EU maritime targets)	No	None in CTI literature; no vendor references to any “Amber Tentacle”	High	No mention in public APT reports or advisories (likely fabricated name)
Campaign “EMERALD FOX” (SE Asia finance targets)	No	None found; name not used by CISA/MSTIC/etc.	High	Unsubstantiated; no vendor/academic source uses this label
Campaign “DIPLOMATIC DRIFT” (G7 embassies)	No	Not referenced in CTI sources	High	Fabricated/unknown; credible sources describe UNC6384 using captive-portal AitM for diplomats (Google GTIG) but not this campaign name or stego C2.
Malware “PLUGX” (Korplug)	Yes	Talos (Cisco) 2022; ESET 2022	High	Widely documented Mustang Panda backdoor. E.g., “PlugX implant used extensively”.
Loader “Thor”	No	No references found	High	Not documented in any known CTI. Name likely made-up (confused with “Hodur” from ESET).
Backdoor “MANGOPUNCH”	No	No mentions in CTI reports	High	Unreported; appears to be fictional.
Use of RClone for exfiltration	No	No Mustang Panda references for RClone specifically; generic RClone abuse is known in ransomware but not reported here.	Medium	Not seen in major threat reports for this actor. Could occur, but unconfirmed by sources.
“ORB” (Operational Relay Box) networks	Yes	Mandiant (2024) on Chinese APTs using proxy meshes; Team Cymru (2026) describes ORB concept	High	Real concept: chained compromised SOHO devices for proxying. Not Mustang-specific in sources, but recognized as Chinese-APT tactic.
PNG steganography for C2 (T1027.011)	No	None in Mustang Panda literature	High	No evidence. Must list “steganography in PNGs” is not documented for Mustang Panda (attempts reported for other groups).
LNK + odbcconf.exe DLL sideloading chain	Yes	Lab52 (2023) describes exactly this chain (SolidPDFCreator.exe + .dll via odbcconf.exe)	High	Confirmed tactic: C:\Windows\SysWOW64\cmd.exe copy + reg add (Lab52). Snippet shows side-loading using odbcconf.exe.
DLL sideload chain (IsoBurner.exe + StarBurn.dll)	Yes	Zscaler (2025) – discovered StarProxy archive: IsoBurner.exe & StarBurn.dll	High	StarBurn.dll is the StarProxy tool (Zscaler ThreatLabz). This exact chain is documented: “IsoBurner.exe (signed) + StarBurn.dll (StarProxy)”.
Lateral tool “StarProxy”	Yes	Zscaler (2025) – ThreatLabz blog	High	Confirmed new Mustang Panda tool. The Zscaler report explicitly names StarProxy as a lateral C2 proxy (loaded via StarBurn.dll).
“Phantom” DLLs (libmemobook.dll, StarBurn.dll)	StarBurn.dll: Yes<br>libmemobook.dll: No	StarBurn.dll documented; libmemobook.dll not found in CTI.	StarBurn: High;<br>libmemobook: High	StarBurn.dll is real (StarProxy); libmemobook.dll is not documented for this group (likely invented).
USB worm “SnakeDisk”	Yes	IBM X-Force (2025) – describes SnakeDisk USB worm in Mustang Panda campaigns	High	Verified. IBM calls it “SnakeDisk USB worm,” showing Mustang Panda using USB drives for lateral spread.
Use of compromised LinkedIn/Slack tokens for delivery	No	No vendor source reports this	High	Not documented. No evidence of such IoT-to-email/phishing technique for Mustang Panda.
Updated “COOLCLIENT” backdoor usage (2025)	Yes	Kaspersky reported (via THN 2026)	High	Confirmed by Kaspersky/THN: updated COOLCLIENT used alongside PlugX.
Use of “FakeTLS” padding in C2 (ToneShell)	Yes	Zscaler (2025) – details FakeTLS in ToneShell communications	High	Documented method to mimic TLSv1.2/v1.3 in network traffic.

Sources: We prioritized vendor analysis and threat reports (Cisco Talos 2022, ESET 2022, Zscaler 2025, IBM X-Force 2023/2025, Kaspersky (via TheHackerNews 2026), Mandiant/Google 2024, Team Cymru 2026, Lab52 2023, etc.). Claims not found in such sources are treated as unverified or fictitious.

Confirmed Mustang Panda TTPs and Observed Activity

Targets: Mustang Panda consistently targets government, diplomatic and NGO networks, often focusing on sensitive geopolitical themes. Recent victims include Southeast Asian ministries, Western think tanks, and infrastructure firms. Attackers tailor lures to current events (e.g. Ukraine conflict, Tibetan affairs, AUKUS treaty).

Initial Access – Spearphishing: The actor’s primary access vector is spearphishing. Emails contain weaponized attachments (PDFs, LNK/shortcut files, or CHM files) with topical content. For example, clustered lures have promised “EU border” updates or Australia-AUKUS-related documents. Upon opening, the decoy executes a benign signed utility which then sideloads malware (see below).

Execution – DLL Sideloading: A ubiquitous technique is DLL search-order hijacking (MITRE T1574.002). The malicious LNK or document triggers a signed executable (like IsoBurner.exe, odbcconf.exe, etc.) to run, from a location (user-writable folder) with a malicious DLL (the actual payload loader) of the same name. The loader DLL decrypts and injects the real backdoor (PlugX/Korplug or custom shellcode). Talos notes this classic chain explicitly for PlugX deployments, and Lab52 documented it (using odbcconf.exe and SolidPDFCreator.dll in an Australian-government lure). ESET likewise observed the pattern: “legitimate, validly signed, executable vulnerable to DLL hijacking, a malicious DLL, and an encrypted Korplug (PlugX) file” are used in every campaign.

Payloads and Backdoors: The group’s arsenal includes known PlugX variants as well as several custom tools:

• PlugX/Korplug: A longstanding Mustang Panda RAT family. Once loaded, PlugX provides file access, keylogging, and plugin-based modules. (Trend/ESET documented multiple Korplug variants used.) Google GTIG also observed a PlugX variant (“SOGU.SEC”) deployed via captive-portal attacks in late 2025.

• CooldownClient (COOLCLIENT): A Chinese-language backdoor (first seen by Sophos in 2022) that Mustang Panda updated in 2025. Kaspersky reported it steals system/user info, supports reverse proxies, and is loaded via the same DLL-sideload pattern.

• ToneShell (TOnePipeShell): A custom backdoor with “FakeTLS” capability. ToneShell disguises its traffic by prepending TLS-like bytes (v1.2 or v1.3 magic) to commands. It supports remote shells, file operations, and DLL injection. Zscaler’s 2025 analysis confirms updated ToneShell variants in use.

• Claimloader/Pubload/Pubshell: In mid-2025, IBM X-Force described a multi-stage loader chain. A “Claimloader” DLL persisted via registry and scheduled tasks, decrypting and injecting a “Pubload” payload into memory. Pubload then spawned “Pubshell”, a lightweight backdoor for a reverse shell. This chain continued the sideload pattern and used obfuscation techniques.

• StarProxy: A newly discovered lateral-movement tool. It was found packaged as StarBurn.dll with the signed IsoBurner.exe installer. StarProxy turns an infected host into a TCP proxy, allowing the attacker to tunnel additional flows inside the victim network (MITRE T1090). Its use of FakeTLS/port randomization helps it blend in with normal traffic.

• SnakeDisk (USB Worm): IBM X-Force reported a novel worm that spreads via USB sticks, dubbed “SnakeDisk”. This tool auto-replicates when a flash drive is attached, enabling Mustang Panda to leapfrog air-gapped or segmented networks (ATT&CK T1092).

Command-and-Control: C2 comms often mimic legitimate protocols. ToneShell’s FakeTLS padding makes its TCP streams look like HTTPS traffic. The reported “ORB networks” tactic means they route C2 through chains of compromised SOHO routers or IoT devices (not Mustang-specific but known among Chinese APTs). By exfiltrating via residential IPs and short-lived proxies, they defeat simple IP-blocking.

Persistence and Privilege Escalation: Common post-compromise steps include creating Registry Run keys (T1547.001) and new Scheduled Tasks (T1053.005) to re-launch payloads (Lab52’s example uses both). They also harvest credentials (T1003) via credential dumpers or keyloggers like PAKLOG/CORkLOG. Many attacks show the group rapidly adjusting keys (hash algorithms) and employing code obfuscation.

Exfiltration: When stealing data, Mustang Panda blends into normal channels: they have sent stolen files to cloud services (e.g. Mega, Dropbox) via tools like rclone (T1567.002) in some Chinese APT cases, though no public report explicitly ties Mustang Panda to RClone. However, they have used HTTPS tunnels and even curl commands to upload stolen browser cookies to Google Drive. The overall strategy is long-term data siphoning for espionage rather than ransomware-style destruction.

Confirmed vs. Unconfirmed Claims:
Based on vetted reports, no source supports the named campaigns Amber Tentacle, Emerald Fox, Diplomatic Drift. Likewise, we find no evidence of “LinkedIn/Slack token” spearphishing, “Thor” or “MangoPunch” malware, or embedded PNG steganography. Every confirmed element in the original text (PlugX, COOLCLIENT, ToneShell, StarProxy, USB worm, DLL side-loading) appears in one or more vendor advisories. We have assumed absent claims are unverified and noted how analysts might detect them if they existed (e.g. by seeking unusual DNS/SNS records or image metadata, but again, none are reported).

Recommended Detection & Mitigation (Mapped to MITRE ATT&CK/NIST)

1. Apply Strict Application Whitelisting (NIST SI-7/Windows Defender AppLocker): Mustang Panda exploits trusted binaries to sideload malware. Enforcing code integrity (AppLocker/WDAC) can block unsigned DLLs loaded by signed executables in user-writable paths. For example, disallow isoBurner.exe or odbcconf.exe from loading unapproved DLLs. This targets ATT&CK T1574.002 (DLL Side-Loading).

2. Hunt for Abnormal Process Trees (NIST DE.CM): Configure EDR/SIEM to alert on anomalous process executions, especially cmd.exe or odbcconf.exe launched with copies of DLLs. For instance, detect process creation where cmd.exe /C copy *.dll plus reg add *Run occurs (as in Lab52’s chain). Monitor any new Scheduled Task creations or HKCU Run keys with odd executables. This aligns with ATT&CK T1547.001 and T1053.005 (Registry Run Keys & Scheduled Tasks).

3. USB/External Media Control (NIST PR.PT): To counter SnakeDisk, enforce strict device control. Disable AutoRun/AutoPlay. In high-risk sectors, block USB use entirely except for approved encrypted drives. NIST recommends device restrictions under PR.PT (Protective Technology). Monitoring Volume shadow copies and syslogs for “USB inserted” events (T1092) helps detect illicit USB worming.

4. East-West Segmentation (NIST PR.AC): Mustang Panda’s StarProxy tunnels rely on internal peers communicating unexpectedly. Implement strict east-west network segmentation. Configure internal firewalls to block direct workstation-to-workstation HTTPS channels. Watch for lateral proxying (ATT&CK T1090) – e.g., database servers or end-user machines making HTTPS connections to unusual external residential IPs, as this often indicates an “ORB” C2 hop. Tools like CISA’s filtering guides recommend blocking non-standard internal-port traffic between hosts.

5. Credential Protection (NIST PR.AC & DE.CM): They attempt credential dumping (T1003) for persistence. Enable Windows Credential Guard/Microsoft LSASS protection (M1015) and restrict local admin rights on workstations. Monitor Event ID 4624 (logons) for unusual service or batch logons. Audit for use of Mimikatz-like APIs. Frequent endpoint scans for processes accessing lsass.exe memory can catch in-progress dumps.

6. Network Anomaly Detection: Since Mustang Panda may pivot through ORB proxies, focus on behavior rather than static IOCs. Compare historical traffic baselines to spot brokering anomalies (e.g. legitimate user devices suddenly connecting to random residential VPS). Use TLS fingerprinting (FakeTLS can be spotted by mismatched TLS versions or headers). Also, enforce SSL proxying (or deep inspection) at network egress to detect concealed C2 protocols.

7. Threat Intelligence & Patching: Keep abreast of reported IOCs from authoritative sources. For example, block domains/IPs tied to past Mustang Panda C2, but recognize ORBs may change daily (Mandiant’s “IOC extinction” warning). Patch devices (e.g. routers) to reduce the pool of compromised “ORB” nodes.

SOC Hunting Queries & EDR Rules (Examples)

• Suspicious DLL Side-Loading (Windows 4688):

  yaml
  title: Mustang Panda Potential Side-Load via odbcconf.exe
  logsource:
    product: windows
    service: security
  detection:
    selection:
      EventID: 4688
      NewProcessName: '*\\cmd.exe'
      CommandLine|contains:
        - "copy SolidPDFCreator.dll"
        - "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
    condition: selection
  

  This Sigma-like rule catches the Lab52 pattern: a cmd.exe copies a DLL and creates a Run key/scheduled task.

• StarProxy (Process Creation):

  yaml
  title: StarProxy Lateral Tool Execution (IsoBurner)
  detection:
    selection:
      Image: '*\\isoBurner.exe'
      CommandLine|contains: 'StarBurn.dll'
    condition: selection
  

  Detect execution of isoBurner.exe referencing the StarBurn.dll (StarProxy loader).

• FakeTLS Traffic (Network):

  text
  SELECT * FROM network_traffic
  WHERE payload LIKE '17 03 03%' OR payload LIKE '17 03 04%'
  AND port = 443 AND NOT tls_handshake_detected;
  

  Alert if TCP payloads start with 0x17 0x03 0x03 or 0x17 0x03 0x04 without a valid TLS handshake, indicating possible ToneShell FakeTLS (ATT&CK T1071.001).

• Suspicious Scheduled Task Creation:

  powershell
  Get-ScheduledTask | Where-Object { $_.TaskName -like "*SolidPDF*" }
  

  Hunt for tasks created with odd names (like “SolidPDF” from Lab52).

• YARA Rule for ToneShell:

  yara
  rule ToneShell_FakeTLS {
    strings:
      $fake_tls = { 17 03 03 } // TLSv1.2 magic
      $pattern = "TLS@"
    condition:
      $fake_tls at 0 and 
      $pattern in (filesize - 20 .. filesize)
  }
  

  Basic YARA to catch ToneShell’s characteristic fake TLS header and signature string in binaries or memory dumps.

• Credential Dumping (Event ID 4692/4688): Hunt for ProcDump.exe or rundll32.exe comsvcs.dll invocations targeting lsass.exe (T1003). EDR rules should flag any service dump or SeDebugPrivilege usage.

• ORB Proxy Detection: Monitor aggregated DNS/Netflow for many-to-few patterns: a single internal host connecting to a cluster of previously unseen (and rapidly cycling) residential IPs. Suspicious if those IPs geolocate near the victim or change daily (sign of a churned “ORB” mesh).

Appendix – MITRE ATT&CK Techniques (referenced)

• T1566 – Phishing (Spearphishing Attachment/Link)
• T1574.002 – DLL Side-Loading
• T1547.001 – Registry Run Keys / Startup Folder
• T1053.005 – Scheduled Task/Job
• T1567.002 – Exfiltration to Cloud Storage (e.g. RClone to Mega/Dropbox)
• T1090 – Proxy (e.g. StarProxy tool turning hosts into proxy)
• T1003 – OS Credential Dumping (LSASS)
• T1027.011 – Obfuscated Files or Information: Steganography
• T1071.001 – Application Layer Protocol: Web (HTTPS) – used by FakeTLS
• T1091 – Replication Through Removable Media (USB worm)
• T1562.001 – Impair Defenses: Disable or Modify Tools (e.g. hiding FakeTLS)