Cyber Threat Actor: Mustang Panda
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
13 incidents |
|---|
Profile
Mustang Panda, also tracked as HoneyMyte and Bronze President, is a threat actor linked to China and described in open‑source reporting as a Chinese state‑backed or nation‑state hacking group. The actor’s known focus includes government, military, non‑governmental, diplomatic and religious targets, with observed operations directed at officials in Russia, entities in Myanmar, the Catholic Diocese of Hong Kong and European diplomatic missions. Public attributions consistently characterize the group’s objectives as intelligence gathering and cyber‑espionage rather than financially motivated crime.
The group’s typical tactics involve spear‑phishing campaigns that deliver malicious executables disguised as legitimate documents, such as PDFs mimicking European Union sanctions notices, Vatican communications or Catholic news articles. These lures frequently employ DLL search order hijacking or DLL side‑loading techniques to execute the PlugX remote access trojan, sometimes leveraging a digitally signed vulnerable file from a legitimate software loader to evade detection. In other operations Mustang Panda has compromised websites to distribute trojanized font packages, as seen in the manipulation of a Myanmar Unicode font on the president’s office site, and has used malicious archives containing rigged executables that mimic Microsoft Word or Adobe Reader to deliver its payloads. The actor‑specific infrastructure, including previously observed command‑and‑control servers and staging domains, is repeatedly reused across campaigns.
Notable publicly reported activity includes a April 2022 phishing wave targeting Russian officials with EU‑sanction themed lures that deployed PlugX via DLL hijacking, a May 2020 spear‑phishing effort against the Hong Kong Catholic Church that used Word‑like executables and DLL side‑loading to install PlugX, and a June 2021 compromise of the Myanmar presidential website where a trojanized font package served as a watering‑hole delivery mechanism for a backdoor trojan linked to earlier Myanmar‑focused espionage. Earlier reporting also notes the group’s historic use of the EvilGrab malware against the same Myanmar presidential site, indicating a pattern of returning to previously compromised platforms for renewed access. These incidents collectively illustrate Mustang Panda’s reliance on social engineering, trusted‑application abuse and PlugX‑based payloads to sustain long‑term espionage operations against a range of geopolitical targets.
