The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Mustang Panda Emerges With New TTPs

Apr 25, 2025 1:46:23 PM / by The Hivemind

MUSTANGPANDA-1Verticals Targeted: Government, Military, NGOs
Regions Targeted: Myanmar, East Asia, Europe

Executive Summary

Mustang Panda has enhanced its arsenal with updated ToneShell backdoor variants and a new lateral movement tool, StarProxy, targeting organizations in Myanmar and other regions. These tools employ advanced evasion techniques, including FakeTLS protocols and DLL sideloading, to facilitate espionage.

Key Takeaways

  • Mustang Panda has enhanced its arsenal with updated ToneShell backdoor variants and a new lateral movement tool, StarProxy.
  • ToneShell variants utilize updated FakeTLS headers to mimic TLSv1.3, enhancing C2 communication stealth.
  • StarProxy leverages FakeTLS for lateral movement, proxying traffic within compromised networks.
  • DLL sideloading remains a core delivery method, bundling malicious payloads with legitimate binaries.

A Revamped Arsenal

Mustang Panda continues to refine its malware toolkit. The group, active since at least 2012, targets government, military, and NGOs, primarily in East Asia, with activity also noted in Europe. The latest campaign, originating from two machines in a Myanmar-based organization, showcases updated variants of the ToneShell backdoor and a novel tool named StarProxy, both hosted on a staging server. These tools demonstrate Mustang Panda’s commitment to evading detection through advanced obfuscation and protocol impersonation. Zscaler reported on this activity.

ToneShell, a cornerstone of Mustang Panda’s operations, has been updated with significant changes to its command-and-control (C2) infrastructure. The backdoor now employs FakeTLS headers, transitioning from TLSv1.2 to TLSv1.3 in newer variants, to disguise network traffic. Three variants were identified: Variants 1 and 3 were found on the staging server, while Variant 2, bundled in a ZIP archive, was sourced from a third-party repository. All variants rely on DLL sideloading, pairing a legitimate executable with a malicious DLL to execute payloads. ToneShell’s encryption uses a rolling XOR key, generated via a linear congruential generator (LCG), with key sizes ranging from 0x20 to 0x200 bytes. 

StarProxy, a newly discovered lateral movement tool, complements ToneShell by enabling traffic proxying within compromised networks. It uses FakeTLS to conceal communications and supports both TCP and UDP connections, though current samples are hardcoded for TCP. StarProxy’s command handlers facilitate two-way communication with C2 servers, but duplicate handlers suggest ongoing development. Like ToneShell, it is delivered via DLL sideloading, often bundled in RAR archives with legitimate binaries. This tool is likely deployed post-compromise to access internal systems not directly exposed to the internet, amplifying Mustang Panda’s reach within networks.

Mustang Panda’s tactics align with its historical focus on espionage, leveraging DLL sideloading to bypass security controls. The group’s tools are hosted on a staging server, indicating centralized distribution. Use of symmetric XOR encryption and protocol impersonation underscores Mustang Panda’s technical sophistication. This campaign and shift in TTPs highlights Mustang Panda’s adaptability and persistence. PolySwarm analysts consider Mustang Panda to be an evolving threat. 

Who is Mustang Panda?

Mustang Panda, also known as Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, LuminousMoth, PKPLUG, RedDelta, Stately Taurus, TA416, and Red Lich, is a China nexus APT group. The group has been active since at least 2012. Their activities align with Chinese government interests, such as surveillance of contentious regions and influence over foreign policy.

Mustang Panda employs spear-phishing emails with tailored lures, often mimicking legitimate documents or leveraging current events. They use DLL side-loading to deliver malware, frequently deploying the PlugX remote access trojan (RAT) for persistent access. The group utilizes Cobalt Strike, Poison Ivy, and custom backdoors like TONESHELL and MQsTTang, alongside keyloggers (PAKLOG, CorKLOG) and lateral movement tools (StarProxy). They exploit vulnerabilities, such as CVE-2017-0199, shortly after public disclosure, and use USB-based worms like HIUPAN for propagation.

Mustang Panda targets non-governmental organizations (NGOs), government entities, telecommunications, and think tanks, with a focus on Southeast Asia (Myanmar, Philippines, Taiwan, Vietnam), East Asia (Hong Kong, Japan, South Korea), and Mongolia. They also target Europe, Australia, and the U.S., often focusing on minority groups like the Shan Tai in Myanmar and politically sensitive regions like Tibet.

IOCs

PolySwarm has multiple samples associated with this activity.

 

c1d24a5cb1d57a91cf4a717425bd0d46b4436d14d7f4744fa8dfbb22609f57a8

69555f4d956fce11eac8fb6d7286c087d6acacf7971821ede1335e96a3c72736

a901fd9ef4044a872866ad9506cf3e17cbf58b93278ac3ca7e48820b3a228458

005754ced6f73a197a4a21c58da39d5e3ee84e484640765dbda2475f4ba2d3bd

57e22a93fc31bd299871840864e82fa553e99501af7645102d07dceed2a8ef1a

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f ToneShell

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, China, TTPs, Mustang Panda, ToneShell, StarProxy

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More