Mustang Panda [1] [2] [3], a China-based threat actor [1] [2] [3], has been identified as the suspected perpetrator behind twin campaigns targeting Myanmar’s Ministry of Defence and Foreign Affairs. These campaigns involved the use of backdoors and remote access trojans. This article provides a detailed description of the attacks and highlights the geopolitical implications of Mustang Panda’s operations.


The attacks took place in November 2023 and January 2024 and were discovered by CSIRT-CTI after artifacts related to the attacks were uploaded to VirusTotal. Mustang Panda employed various tactics, including the use of legitimate software such as a binary developed by Bernecker & Rainer (BR) and a component of the Windows 10 upgrade assistant [1], to sideload malicious DLLs [1] [2] [3]. This allowed them to establish persistence and contact a command-and-control server [1] [3].

Mustang Panda [1] [2] [3], known by different names in the cybersecurity community [1] [2] [3], has been active since 2012 [1] [2] [3]. Recent targets include a Southeast Asian government and the Philippines [1] [2] [3], where they deployed backdoors to gather sensitive information. Their attack methods involve phishing emails with booby-trapped ZIP attachments and DLL search order hijacking [1] [2] [3]. They also disguise their traffic as Microsoft update traffic [1] [2] [3].

In a separate campaign observed this month, Mustang Panda utilized an optical disc image with LNK shortcuts to deploy a custom loader called TONESHELL [1] [3], likely deploying the PlugX implant [1] [3]. These operations align with the geopolitical interests of the Chinese government [1] [3], particularly their cyberespionage operations against Myanmar. Similar attack chains by Mustang Panda have been previously discovered in Asia and Europe [2], indicating a widespread threat.


The activities of Mustang Panda pose significant risks to the targeted governments and organizations. The use of legitimate software and sophisticated techniques make it challenging to detect and mitigate their attacks. It is crucial for affected entities to enhance their cybersecurity measures and remain vigilant against phishing attempts and suspicious network traffic. Additionally, international cooperation and information sharing are essential to address the widespread threat posed by Mustang Panda and similar threat actors.