HOMETHREATSMUSTANG PANDA
APT / THREAT GROUP🕵️ ESPIONAGEADVANCED

MUSTANG PANDA

🇨🇳China-attributed
13
aliases
Last seen:May 20, 2026

Intelligence Profile

This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.

In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX.

Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.

Threat Analysis

MUSTANG PANDA is a advanced-sophistication threat actor attributed to China, engaged in cyber operations with a primary motivation of espionage.

The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.

Classified as an advanced threat actor, MUSTANG PANDA likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.

Intelligence Reports Mentioning MUSTANG PANDA

External References

Quick Facts

TypeAPT / Threat Group
Motivation🕵️ espionage
Sophisticationadvanced
Origin🇨🇳 China
Aliases13
SourceMalpedia

Also Known As

PolarisTA416BASINTwill TyphoonStately TaurusEarth PretaTEMP.HEXRed LichMUSTANG PANDATANTALUMBRONZE PRESIDENTLuminousMothHoneyMyte

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.