← Back to Actors
Mustang Panda
Mustang PandaTA416RedDeltaBRONZE PRESIDENTSTATELY TAURUSFIREANTCAMARO DRAGONEARTH PRETAHIVE0154TWILL TYPHOONTANTALUMLUMINOUS MOTHUNC6384TEMP.HexRed LichClumsyToad
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myan...
85
Techniques
74
Covered
11
Gaps
87%
Coverage
Coverage74/85
GAPS (11)
T1027.007Dynamic API ResolutionT1027.016Junk Code InsertionT1176.002IDE ExtensionsT1219.001IDE TunnelingT1560.003Archive via Custom MethodT1573.001Symmetric CryptographyT1585.002Email AccountsT1586.002Email AccountsT1588.003Code Signing CertificatesT1593Search Open Websites/DomainsT1678Delay Execution
COVERED (74)
T1001.003Protocol or Service Impersonation2 det.T1003OS Credential Dumping113 det.T1003.001LSASS Memory111 det.T1003.003NTDS36 det.T1003.006DCSync16 det.T1016System Network Configuration Discovery40 det.T1018Remote System Discovery51 det.T1027Obfuscated Files or Information606 det.T1027.012LNK Icon Smuggling1 det.T1036.005Match Legitimate Resource Name or Location45 det.T1036.007Double File Extension4 det.T1036.008Masquerade File Type5 det.T1041Exfiltration Over C2 Channel32 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation88 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol22 det.T1049System Network Connections Discovery22 det.T1052.001Exfiltration over USB4 det.T1053.005Scheduled Task100 det.T1057Process Discovery21 det.T1059Command and Scripting Interpreter514 det.T1059.001PowerShell372 det.T1059.003Windows Command Shell83 det.T1059.005Visual Basic69 det.T1059.007JavaScript63 det.T1069.002Domain Groups44 det.T1070Indicator Removal62 det.T1070.004File Deletion43 det.T1070.006Timestomp10 det.T1071.001Web Protocols81 det.T1072Software Deployment Tools13 det.T1074.001Local Data Staging10 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.002Domain Account57 det.T1091Replication Through Removable Media8 det.T1095Non-Application Layer Protocol24 det.T1102Web Service35 det.T1105Ingress Tool Transfer184 det.T1106Native API29 det.T1119Automated Collection12 det.T1129Shared Modules14 det.T1140Deobfuscate/Decode Files or Information58 det.T1203Exploitation for Client Execution79 det.T1204.001Malicious Link11 det.T1204.002Malicious File441 det.T1205Traffic Signaling1 det.T1218.004InstallUtil15 det.T1218.005Mshta49 det.T1219.002Remote Desktop Software52 det.T1505.003Web Shell65 det.T1518Software Discovery17 det.T1546.003Windows Management Instrumentation Event Subscription18 det.T1547.001Registry Run Keys / Startup Folder53 det.T1553.002Code Signing4 det.T1557Adversary-in-the-Middle39 det.T1560.001Archive via Utility26 det.T1564.001Hidden Files and Directories25 det.T1566.001Spearphishing Attachment979 det.T1566.002Spearphishing Link1005 det.T1567.002Exfiltration to Cloud Storage31 det.T1572Protocol Tunneling59 det.T1574.001DLL111 det.T1574.005Executable Installer File Permissions Weakness2 det.T1583.001Domains62 det.T1583.006Web Services1 det.T1587.001Malware10 det.T1588.002Tool13 det.T1588.004Digital Certificates1 det.T1598.003Spearphishing Link312 det.T1608Stage Capabilities9 det.T1608.001Upload Malware3 det.T1622Debugger Evasion1 det.T1654Log Enumeration1 det.