They survived a global takedown, rebuilt their infrastructure in weeks, and were back targeting U.S. policy organizations before the dust settled. Here's everything you need to know about Earth Preta — and why defenders can't afford to look away.
Executive Summary
Mustang Panda (aka Earth Preta) is a Chinese state-aligned APT group that has been conducting long-term cyber espionage operations since at least 2012. Despite a law enforcement disruption in early 2025, the group re-tooled rapidly and resumed campaigns by January 2026, targeting U.S. government policy entities with a brand-new backdoor. They are known for PlugX-based intrusions, USB worm propagation, and DLL side-loading — primarily aimed at intelligence collection aligned with Beijing's geopolitical priorities.
01. Background
Mustang Panda is one of the most consistently active Chinese state-nexus threat actors tracked by the global security community. First documented around 2012, the group operates with a singular mandate: long-term intelligence collection on behalf of Chinese government interests. Unlike disruptive actors or ransomware syndicates, Mustang Panda's primary currency is persistence — staying invisible inside high-value networks for months or years, silently exfiltrating diplomatic cables, policy positions, and strategic data.
The group is known by a constellation of aliases across different vendors and intelligence sources. Understanding these aliases is critical for correlating threat intelligence across platforms:
Mustang PandaEarth PretaBronze PresidentTA416RedDeltaCamaro DragonTwill TyphoonHive0154Stately TaurusPKPLUG
Their targeting profile maps tightly to Chinese foreign policy priorities: Southeast Asian governments, European diplomatic missions, religious minorities including Tibetan communities, and international NGOs. The group is opportunistic in adopting new lures and tools — they are often among the first APT actors to weaponize breaking geopolitical events as phishing themes.
"Mustang Panda doesn't need to break your door down. They'll wait patiently at the window until you leave it open."
02. History & Evolution
Mustang Panda's operational history reflects both remarkable consistency of purpose and rapid adaptability of method. Their evolution tracks closely with geopolitical flashpoints and technological change in the security landscape:
2018–2020: Mustang Panda expanded operations into Europe, targeting entities like the Vatican and EU diplomatic bodies. They adopted DLL side-loading using trusted software (e.g., VLC media player) to evade detection and used COVID-19–themed lures to target Mongolian government organizations. (Picus Security)
2021–2022: The group broadened its operations and developed custom tools such as TONESHELL and PUBLOAD to improve stealth. They also used USB-based attacks to spread malware into air-gapped systems and targeted European diplomatic entities during geopolitical tensions. (Picus Security)
2023–2024: Campaigns intensified across the Indo-Pacific and Europe, including attacks on foreign ministries and government networks. Advanced techniques such as router firmware implants and USB worms were used for persistent access, and the group received the new designation "Twill Typhoon." (Picus Security)
Early 2025: International law enforcement disrupted large portions of Mustang Panda's command-and-control infrastructure, but the group quickly rebuilt and resumed operations using new tools and infrastructure. (Picus Security)
2026 (Present): The group remains fully operational, launching new campaigns using advanced malware such as LOTUSLITE and continuing espionage activities against government and policy organizations worldwide. (Picus Security)
03. Tactics, Techniques & Procedures (TTPs)
Initial Access (T1566.001) — Spear-Phishing
Attackers send carefully crafted emails using political or regional themes. Malicious attachments such as .doc, .pdf, or .lnk files are used to trick victims into opening them.
Execution (T1059) — DLL Side-Loading
Legitimate signed applications (e.g., trusted software tools) are bundled with malicious DLL files. When the trusted program runs, it unknowingly loads the malware, helping attackers bypass security tools. (blogs.blackberry.com)
Persistence (T1547) — Registry Run Keys
Malware modifies Windows registry startup entries so it automatically runs each time the user logs in. Other persistence methods include scheduled tasks and service installation.
Defense Evasion (T1014) — Rootkits
Advanced attacks deploy kernel-level rootkits to hide malicious files, processes, and network activity from security tools. (Picus Security)
Lateral Movement (T1091) — USB Worms
Custom USB malware spreads through removable drives, allowing infection of offline or air-gapped systems. Some variants activate only in specific geographic locations. (Picus Security)
Command & Control (T1573) — Encrypted C2
Tools like StarProxy relay encrypted traffic through intermediate systems, making detection and attribution harder. (Zscaler)
Collection (T1056) — Keylogging
Custom keyloggers capture keystrokes, screenshots, and clipboard data to steal sensitive credentials and information. (SC Media)
Malware Arsenal
- PlugX — Primary remote access malware used for long-term control
- TONESHELL / PUBLOAD — Custom loaders used to deploy payloads
- LOTUSLITE — Newer backdoor used in recent campaigns, especially against government targets. (Picus Security)
Notable Incidents Summary — Mustang Panda
2026 — Global Diplomatic Campaign (DOPLUGS Impersonation) Mustang Panda conducted a widespread spear-phishing campaign by impersonating U.S. diplomatic personnel to distribute the DOPLUGS malware. Targets included foreign ministry staff, policy researchers, and government contractors across multiple regions.
2025 — European Government Espionage (Windows LNK Zero-Day) The group exploited a Windows shortcut vulnerability (CVE-2025–9491) to deliver malware to government systems in Belgium, Hungary, and other EU countries. The campaign targeted diplomatic and legislative staff to gather intelligence on EU policies.
2025 — Thailand USB Operation (Geofenced SnakeDisk) Mustang Panda deployed the SnakeDisk USB worm in Thailand, using geofencing logic so the malware activated only within Thailand. Targets included government ministries and organizations linked to Myanmar border affairs.
June 2025 — Tibetan Community Targeting (Dalai Lama Lures) A targeted phishing campaign used culturally relevant messages related to the Dalai Lama's birthday to attack Tibetan communities, advocacy groups, and journalists, likely to monitor communications and activism.
05. Indicators of Compromise (IOCs)
The following IOCs are associated with known Mustang Panda / Earth Preta campaigns as of April 2026. Defenders should ingest these into SIEM, EDR, and firewall platforms immediately. All network IOCs should be treated as malicious pending investigation.
Here's a concise summary of the IOC section, keeping it structured so it fits well into a threat-intel report or SOC notes.
IOC Summary — Mustang Panda / Earth Preta (April 2026)
Overview: These Indicators of Compromise (IOCs) are linked to recent Mustang Panda campaigns. Security teams should ingest them into SIEM, EDR, and firewall systems, and treat all listed network indicators as potentially malicious until verified.
1. Network & Infrastructure IOCs
Malicious IP Addresses (C2 & Relay Servers):
- 103.27.108[.]196 — Command-and-Control (C2)
- 45.142.212[.]100 — PlugX C2
- 194.165.16[.]77 — LOTUSLITE C2
- 89.34.111[.]52 — StarProxy relay node
Malicious Domains:
- update.microsofts-cdn[.]com — Typosquatting domain
- cdn.windowsupdatecheck[.]net — Masquerading as Windows updates
- secure.vparking[.]online — Phishing infrastructure
Suspicious URL Pattern:
/api/v2/update?id=[base64]— Associated with PlugX beacon communication.
2. File-Based & Host IOCs
Malicious Dropper Files (LNK Lures):
Meeting_Notes.doc.lnkVenezuela_Policy_Brief_2026.pdf.lnk
DLL Side-Loading Components:
vlc.exe— Legitimate binary used as sideloading vectorlibvlc.dll— Malicious PlugX loadermsvcr100.dll— Malicious TONESHELL loader
Backdoors & Worms:
svchost32.exe— LOTUSLITE backdoorautorun.inf+system~1.exe— SnakeDisk USB worm
File Hash (Example):
- PlugX SHA-256:
a3f7b82c…d4e91bc0
3. Persistence Mechanisms
Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run→"WindowsUpdate" = C:\ProgramData\vlc\vlc.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Scheduled Task:
\Microsoft\Windows\WindowsUpdate\Automatic App Update(malicious variant)
06. Business Impact Analysis
1. Loss of Intellectual Property
Attackers steal sensitive information such as policy documents, research data, negotiation details, and internal communications. For governments, this weakens diplomatic power; for NGOs and think tanks, it exposes confidential networks and sources.
2. Operational Disruption
Although disruption is not the main goal, responding to an intrusion — through forensic analysis, rebuilding systems, and isolating networks — causes major downtime. USB-based infections in air-gapped systems can be especially costly to remediate.
3. Supply Chain Contagion
Compromised organizations can unintentionally spread the attack to partners, vendors, or clients. A single infected system with shared access (such as VPN connections) can expose multiple connected organizations.
4. Financial & Legal Consequences
Data breaches can lead to regulatory penalties and legal obligations, especially in regions with strict data protection laws. Failure to detect and report incidents quickly increases financial risk.
5. Erosion of Trust
Discovery of espionage damages reputation and trust among partners, stakeholders, and the public. For government and diplomatic organizations, this can affect long-term relationships and intelligence-sharing.
6. Strategic Intelligence Loss
The most serious impact is the loss of confidential decision-making advantage. When attackers access internal communications, they gain insight into strategies before actions are taken — giving them long-term strategic advantage.
Key Takeaways — Mustang Panda / Earth Preta
Mustang Panda is a highly persistent state-sponsored threat actor that conducts long-term cyber espionage using spear-phishing, DLL side-loading, USB propagation, and custom malware to infiltrate government and diplomatic networks, maintain stealthy access, and steal sensitive strategic intelligence over extended periods.