Introduction
Mustang Panda, also identified as Earth Preta, Bronze President, TA416, RedDelta, and HIVE0154, is still one of the most active China-aligned APT groups in 2025. Mustang Panda is a cyber-espionage focused group actively working to adapt the tools and techniques it uses to maintain persistence within the targeted strategic organizations in Asia, Europe, and beyond.
The campaigns demonstrate the changing nature of state-sponsored espionage, as the China-linked adversaries exhibit their ongoing focus on long-term intelligence collection.
Identity and Motivation
- Attribution: Widely attributed to the People’s Republic of China (PRC).
- Operational Since: At least 2012.
- Other Names: Earth Preta, Bronze President, TA416, RedDelta, HIVE0154.
- Motive: Political and military intelligence collection against government departments, military, law enforcement, NGOs, and diplomatic targets.
The group’s motive clearly outlined goals that fit Beijing’s geopolitical and strategic interests, particularly for neighbouring states, European partners, and international organizations active in maritime security, policy, and law enforcement.
Tactics, Techniques and Procedures (TTPs)
The tradecraft of Mustang Panda continues to adapt while at the same time, keeping some familiar tools and delivery mechanisms.
- Initial Access: Spear-phishing using current affairs themed lures, malicious archives, and shortcut (LNK) files in conjunction with PDF decoys. There appears to be an increasing use of USB-based malware in Europe.
- Execution: Droppers deploying known families of malware such as Korplug/PlugX, and newer custom backdoors like ToneShell.
- Persistence: Use of SoftEther VPN for extended access to victim’s network; use of DLL side-loading for stealthy execution.
- Defense Evasion: Disguised software (i.e., Google Chrome installers) that contains a blend of malicious and legitimate components to defeat detection.
- C2 & Exfiltration: Communications that are XOR-obfuscated via Korplug, and persistent C2 channels via VPN tunneling. • Malware: Korplug/PlugX, ToneShell (including the recent “Frankenstein” variant), Yokai, SoftEther VPN.
📊 Visual Aid: TTPs Diagram Initial Access → Execution → Persistence → C2/Exfiltration
| | | |
Phishing Droppers VPNs, DLLs PlugX, ToneShell
LNK+PDF Korplug Side-loading XOR C2
USB Malware ToneShell SoftEther VPN Data Theft
Notable Operations
• 2025 (Myanmar): Deployment of a “Frankenstein” ToneShell backdoor variant.
• 2025 (Thailand): Targeting of the Royal Thai Police with a Yokai backdoor delivered via LNK + PDF decoy.
• 2025 (Europe): Continuing operations against European Union governments with maritime transportation operations using usb-based loaders and Korplug.
• 2024-2025: Campaigns that are combining legitimate applications along with malware with the intention of bypassing detection, as noted by Trend Micro.
• Historical: High-volume usage of PlugX/Korplug with DLL side-loading against NGOs, religious organizations, and governments throughout Asia and Europe.
Timeline of Operations
- 2012-2019: PlugX-heavy campaigns against APAC governments and NGOs.
- 2020-2022: Expanding targeting of EU diplomatic and religious organizations.
- 2023: Increasing USB-based attacks and persistence with VPN tools.
- 2024: Increased use of ToneShell backdoors and other mixed benign malign delivery strategies.
- 2025: Global and active campaigns along with evolving malware (Frankenstein ToneShell, Yokai).
Recent Activity
Since late 2024 through all of 2025, Mustang Panda transitioned from single-vector initial access to the addition of USB media, complementing its phishing-heavy operations.
- Continued to deploy various and evolving updates to ToneShell, demonstrating that it continues to evolve projects internally.
- Fully operationally focused on identifying targets within European government and maritime organizations, also identified with greater focus on targets in Southeast Asia.
The level of commitment demonstrated by this APT group has clearly demonstrated an enduring cycle of espionage operations that align with Beijing’s foreign policy and national security objectives.
Conclusion
Mustang Panda is a great example of the amount of persistence and adaptability China-aligned APT groups are capable of. The operational activity observed across the APAC, Europe, and North America demonstrates a continuous evolution from PlugX-centric operations to newer malware families like ToneShell and Yokai.
The specific targeting and operational emphasis exhibited in its campaigns against diplomatic, government, and law enforcement-related organizations demonstrate continued strategic framing priorities for the Chinese State.
Takeaways for Defenders
- Limit the impact of DLL side-loading and enforce a near-complete prohibition of removable media and USB device usage.
- Continue to enhance email filtering and sandboxing to better handle LNK + archive-based phishing.
- Observe any potential SoftEther VPN installations on targets, including C2 traffic patterns associated with Korplug/ToneShell.
The continuation of Mustang Panda’s operations in 2025 fully encapsulates the reality that China’s cyber-espionage apparatus is both persistent and adaptive in nature, and requires defenders to anticipate the continued evolution of the tools and techniques used in different campaigns.
You can download and review the sheet for all the details!
