Menu
Browse

Cyber Threat Actor: APT46

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
0 incidents
Profile

Bronze President, also tracked as APT46 and known by the aliases Mustang Panda and HoneyMyte, is a China‑based threat actor that has been publicly linked to state‑sponsored cyber‑espionage activities. The group’s Chinese origin is explicitly noted in multiple reports describing its operations as originating from China and being aligned with Chinese government interests. Its strategic objective, as evidenced by the campaigns described in the source material, is intelligence collection rather than financial gain or disruptive sabotage.

The actor’s targeting pattern includes government entities, religious organizations, and diplomatic or quasi‑governmental institutions across several regions. It has been observed conducting spear‑phishing campaigns against Russian state officials, using lure documents that purportedly contained European Union sanction details. In another operation, the group compromised the website of the Myanmar president’s office to host a malicious font package that served as a watering hole for visitors. Additionally, the actor has targeted members of the Hong Kong Catholic Church, employing spear‑phishing lures that appeared to be communications from Vatican officials or Catholic news outlets. These incidents demonstrate a focus on political and religious targets in East Asia, Southeast Asia, and Europe.

Bronze President’s typical tactics, techniques, and procedures involve the use of spear‑phishing emails with malicious attachments that masquerade as legitimate files such as PDFs or Office documents. The attachments often employ DLL side‑loading or DLL search‑order hijacking to execute a PlugX variant, a remote access trojan that has been repeatedly associated with the group in the analyzed reports. The actor also uses compromised legitimate signed binaries as loaders to evade detection, and it has been observed delivering payloads through archives (ZIP, RAR) and LNK files hosted on compromised websites. Infrastructure reused across campaigns—such as staging servers and domains—has been attributed to Bronze President, reinforcing the linkage between these operations. These observed behaviors collectively define the group’s operational profile as a Chinese state‑backed espionage actor that relies on social engineering, stealthy DLL‑based loading, and the PlugX malware family to achieve its intelligence‑gathering goals.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
41 sources