Threat actor · all actors
Mustang PandaG0129 state-contractor
🇨🇳 CN · MSS
aka Mustang Panda, TA416, RedDelta, BRONZE PRESIDENT, STATELY TAURUS, FIREANT, CAMARO DRAGON, EARTH PRETA, HIVE0154, TWILL TYPHOON, TANTALUM, LUMINOUS MOTH, UNC6384, TEMP.Hex, Red Lich, ClumsyToad
Last updated: 2026-07-03
About this actor
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. (Citation: BlackBerry MUSTANG PANDA October 2022)(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)(Citation: Zscaler)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 2 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
CVE-2026-22813 | 3.5 | 6.1 | 0.0091 | 2026-01-12 | see CVE |
T1001T1001.003T1003T1003.001T1003.003T1003.006T1016T1018T1027T1027.007T1027.012T1027.016T1036T1036.005T1036.007T1036.008T1041T1046T1047T1048T1048.003T1049T1052T1052.001T1053T1053.005T1057T1059T1059.001T1059.003T1059.005T1059.007T1069T1069.002T1070T1070.004T1070.006T1071T1071.001T1072T1074T1074.001T1082T1083T1087T1087.002T1091T1095T1102T1105T1106T1119T1129T1140T1176T1176.002T1203T1204T1204.001T1204.002T1205T1218T1218.004T1218.005T1219T1219.001T1219.002T1505T1505.003T1518T1546T1546.003T1547T1547.001T1553T1553.002T1557T1560T1560.001T1560.003T1564T1564.001T1566T1566.001T1566.002T1567T1567.002T1572T1573T1573.001T1574T1574.001T1574.005T1583T1583.001T1583.006T1585T1585.002T1586T1586.002T1587T1587.001T1588T1588.002T1588.003T1588.004T1593T1598T1598.003T1608T1608.001T1622T1654T1678
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 70 / 114 | 61% |
CM-2 | 63 / 114 | 55% |
CM-6 | 62 / 114 | 54% |
SI-3 | 59 / 114 | 52% |
CA-7 | 46 / 114 | 40% |
CM-7 | 45 / 114 | 39% |
AC-3 | 39 / 114 | 34% |
AC-4 | 37 / 114 | 32% |
AC-6 | 35 / 114 | 31% |
SC-7 | 35 / 114 | 31% |
AC-2 | 32 / 114 | 28% |
SI-7 | 30 / 114 | 26% |
SI-10 | 25 / 114 | 22% |
RA-5 | 24 / 114 | 21% |
CM-8 | 21 / 114 | 18% |
Co-occurring actors
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
- Tonto Team 1 shared CVEs
- Ember Bear 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
- FIN7 1 shared CVEs
Similar actors
Similar TTPs
- APT32 0.38
- Kimsuky 0.37
- Operation Dream Job 0.36
- Lazarus Group 0.36
- MuddyWater 0.36
Overlapping CVEs
- C0027 0.50
- APT12 0.50
- APT28 0.50
- FIN7 0.50
- Gamaredon Group 0.50
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- C0017 1.00
- Cutting Edge 1.00
Same category
- C0017 1.00
- APT41 DUST 1.00
- RedDelta Modified PlugX Infection Chain Operations 1.00
- APT3 1.00
- APT41 1.00