Mustang Panda APT Enhances Toolkit with New Backdoor and Keyloggers
TL;DR
- Mustang Panda, a China-linked APT group, has deployed a new backdoor called MQsTTang.
- The group has targeted entities in Europe, Asia, and Australia with updated tools and techniques.
- Recent findings reveal new variants of the ToneShell backdoor and additional tools like StarProxy and Paklog.
Main Content
The China-linked Advanced Persistent Threat (APT) group known as Mustang Panda (also referred to as Camaro Dragon, RedDelta, or Bronze President) has recently upgraded its arsenal with a new custom backdoor named MQsTTang. This enhanced toolkit has been observed in recent cyberattacks targeting organizations across Europe, Asia, and Australia.
Mustang Panda, active since at least 2012, has a history of targeting high-value entities, including:
- Government organizations
- Think tanks
- NGOs
- Catholic organizations within the Vatican
The group’s past campaigns have primarily focused on Asian countries such as Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar. In 2022, Mustang Panda utilized European Union reports on the Ukraine conflict and Ukrainian government reports as lures to initiate malware deployment.
In February 2024, Trend Micro researchers observed Mustang Panda targeting Asian countries, including Taiwan, Vietnam, and Malaysia1.
New Tools and Techniques
Recent investigations by the Zscaler ThreatLabz team have uncovered new activities linked to Mustang Panda, originating from compromised machines within a targeted organization in Myanmar. This discovery led to the identification of new variants of the ToneShell backdoor and several previously undocumented tools:
- StarProxy
- Paklog and Corklog keyloggers
- SplatCloak EDR evasion driver
ToneShell Backdoor Variants
The APT group employs DLL sideloading to execute malicious payloads stealthily. Three distinct variants of the ToneShell backdoor were analyzed, each utilizing DLL sideloading:
- Variant 1: Archive
cf.rarincludesmrender.exeandlibcef.dll. - Variant 2: Archive
ru.zipincludesFastVD.exeandLogMeIn.dll. - Variant 3: Archive
zz.rarincludesgpgconf.exeandlibgcrypt-20.dll.
Key Features of ToneShell Variants
- GUID Generation: Each variant generates a unique identifier (GUID) for the infected machine using different methods.
- Rolling XOR Key: Utilized for encrypting communications with the command-and-control (C2) server.
- FakeTLS Headers: Employed to mimic legitimate TLS traffic, aiding in evasion of network-based detections.
- C2 Commands: Support a range of commands, including file operations, reverse shell creation, and DLL injection.
StarProxy: A New Lateral Movement Tool
ThreatLabz researchers identified StarProxy, a new tool used by Mustang Panda for lateral movement. Discovered within a RAR archive containing a legitimate executable (IsoBurner.exe) and a malicious DLL (StarBurn.dll), StarProxy employs DLL sideloading to activate upon execution. Key capabilities include:
- Traffic Proxying: Proxies traffic between infected devices and C2 servers using TCP sockets and FakeTLS.
- Encryption: Encrypts data with a custom XOR-based algorithm.
- Command-Line Arguments: Specifies IP addresses and ports, facilitating data relay through compromised machines.
Ongoing Threat and Mitigation
Mustang Panda continues to refine its tools for enhanced stealth and functionality. The report concludes that Mustang Panda remains active in targeting organizations and individuals in Myanmar.
For further technical details, refer to the Part 2 analysis by Zscaler.
Additional Resources
For further insights, check:
- Mustang Panda: A Comprehensive Analysis
- Google Threat Analysis Group Report
- Recorded Future Report on Mustang Panda
References
-
(2025). “China-linked APT Mustang Panda upgrades tools in its arsenal”. Security Affairs. Retrieved 2025-04-17. ↩︎