Detect Mustang Panda aka Earth Preta APT Activity

The infamous China-linked Earth Preta (aka Mustang Panda, Bronze President, TA416) APT group has been attributed to a wave of spear-phishing attacks against global organizations in multiple industry sectors, including government institutions, primarily in Asia Pacific regions. Cybersecurity researchers have observed that threat actors abused fake Google accounts to spread different strains of malware, including TONEINS, TONESHELL backdoors, and PUBLOAD. 

Detect Earth Preta aka Mustang Panda Recent Adversary Activity

China-linked threat actors tracked as Earth Preta aka Mustang Panda, or Bronze President have been in the limelight in the cyber threat arena since March 2022 targeting global organizations in multiple industry sectors and continuously expanding their scope of attacks and enhancing their offensive capabilities. To help organizations timely identify potential intrusions associated with the recent spear-phishing attacks by the China-backed actors, SOC Prime has recently released a couple of relevant Sigma rules crafted by our keen Threat Bounty developers Wirapong Petshagun and Kyaw Pyiyt Htet (Mik0yan). Both Sigma rules detect the use of the DLL side-loading technique used by attackers in ongoing spear-phishing campaigns. The detections are compatible with the industry-leading SIEM, EDR, BDP, and XDR solutions and are mapped to the latest MITRE ATT&CK® framework v12.

Follow the links below to instantly drill down to the dedicated Sigma rules enriched with in-depth contextual metadata for streamlined threat investigation: 

Possible Earth Preta (Chinese based APT Group) Defense Evasion via DLL Side-Loading technique (via image_load)

This Sigma rule from Wirapong Petshagun addresses the Defense Evasion tactic with Hijack Execution Flow (T1574) applied as a primary ATT&CK technique. 

Suspicious Mustang Panda DLL Side-Loading Activity (Nov 2022) By Detection of Associated File Events

The above-mentioned detection developed by Kyaw Pyiyt Htet (Mik0yan) addresses the Defense Evasion and Execution tactics with the corresponding Hijack Execution Flow (T1574) and User Execution (T1204) techniques. 

Aspiring threat researchers looking for ways to contribute to collective cyber defense are welcome to join the ranks of the Threat Bounty Program crowdsourced initiative. Write detection code backed by Sigma and ATT&CK, share your expertise with industry peers, and get bounty for the quality and speed of your work while constantly improving your Detection Engineering skills.

Progressive organizations striving to fill all the gaps in their threat detection coverage can be interested in the entire list of Sigma rules to detect the malicious activity of Earth Preta aka Mustang Panda APT. Click the Explore Detections button below to reach relevant Sigma rules along with translations to 25+ security technologies and dive into comprehensive cyber threat context, like MITRE ATT&CK references, CTI links, mitigations, and more actionable metadata.

Explore Detections

Earth Preta aka Mustang Panda APT: Analysis of Spear-Phishing Campaigns Targeting Governments Worldwide

Cyber defenders report that government networks are potentially under malware attacks by the notorious hacking collective known as Earth Preta (aka Mustang Panda, Bronze President, TA416). 

Trend Micro cybersecurity researchers have observed the ongoing campaigns of the Chinese-backed APT group using the spear-phishing attack vector. In these attacks, Earth Preta hackers have abused fake Google accounts to deliver custom malware primarily targeting government entities and other organizations in the Asia Pacific region since March. The infection chain is triggered by downloading and opening the archive files spread via Google Drive links. Once opened, these lure files lead to executing malware strains on the compromised systems via the DLL side-loading adversary technique. The malicious campaign involves spreading TONEINS, TONESHELL, and PUBLOAD malware families, which, in turn, can deploy other payloads while staying under the radar. After infiltrating the compromised systems, the stolen sensitive data can be later leveraged as the entry vector for other intrusions, which poses a more serious to potentially compromised organizations and expands the scope and impact of attacks.

Mustang Panda is a China-backed cyber espionage APT group, which emerged in the cyber threat arena in the summer of 2018. The hacking collective is known for the development of its own custom malicious loaders in conjunction with popular adversary tools like PlugX and Cobalt Strike to compromise targeted systems. At the end of March 2022, the group leveraged a new PlugX RAT variant dubbed Hodur targeting Ukrainian organizations and European diplomatic missions.

Since the group is constantly updating its adversary toolkit, advancing offensive capabilities, and adding more custom malware samples to its arsenal for detection evasion, cyber defenders should be ready to proactively detect their malicious activity. 

As mitigation measures, organizations are strongly recommended to follow best security practices to protect their infrastructure from phishing attacks and enable multi-layer email protection.

Stay ahead of adversaries with curated Sigma rules against any current or emerging APT attacks. 900+ rules for APT-related tools and attacks are right at hand! Get 200+ for free or reach all relevant detection content with On-Demand at


Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts