Chinese APT Mustang Panda Debuts 4 New Attack Tools - Dark Reading

TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources СLOUD SECURITY CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY THREAT INTELLIGENCE NEWS Chinese APT Mustang Panda Debuts 4 New Attack Tools The notorious nation-state-backed threat actor has added two new keyloggers, a lateral movement tool, and an endpoint detection and response (EDR) evasion driver to its arsenal. Nate Nelson,Contributing Writer April 18, 2025 3 Min Read SOURCE: DAN HERRICK VIA ALAMY STOCK PHOTO One of China's major state-funded espionage groups has created or otherwise upgraded various malware programs, signaling a notable arsenal refresh that defenders need to be aware of. Mustang Panda (aka Bronze President, Stately Taurus, and TA416) is an advanced persistent threat (APT) believed to be sponsored by the People's Republic of China (PRC). It has long been known for spying on targets of interest to the PRC, including: military and government organizations, nongovernmental organizations (NGOs), think tanks, minority groups, and corporations in major industries, primarily around East and Southeast Asia but also in the West. Recently, the group attacked an organization based in Myanmar. In the process, researchers from Zscaler uncovered four previously unknown attack tools the group is now using. They include two keyloggers, a tool for facilitating lateral movement, and a driver used to evade endpoint detection and response (EDR) software. Besides that, the group has also upgraded its signature backdoor, "Toneshell." Related:Most Google Cloud Attacks Start With Bug Exploitation Mustang Panda's Retooled Malware Arsenal Mustang Panda has always been relatively creative in its means of delivering malware. At times it has broken ground with new tactics, techniques, and procedures (TTPs), and at other times it has thought outside of the box to bring back old ones. Its latest attacks appear to be less unique in this regard, utilizing the popular Chinese tactic of sideloading dynamic link libraries (DLLs). However, instead of just defaulting to the tools common to other Chinese actors, Mustang Panda has been developing a whole new set of its own stuff. Among its new malware tools are two keyloggers, PAKLOG and CorKLOG. Each is relatively straightforward, with PAKLOG capturing both keystrokes and clipboard data, and CorKLOG putting an extra emphasis on persistence and encryption of logged data. Both tools save logged data to local files, but neither possesses any direct, automated command-and-control (C2) capabilities to actually exfiltrate it. The attackers might be retrieving their stolen data with hands-on-keyboard activity, or via other exfiltration tools. One tool they might use to grab that data is the group's known backdoor, "ToneShell." Mustang Panda has made frequent use of ToneShell over the years, and the newest, third version includes a couple of tweaks as to how it distinguishes infected machines, and how it communicates with command-and-control (C2) infrastructure. Both ToneShell and a new proxy tool, "StarProxy," make use of FakeTLS to conceal malicious activity. FakeTLS is a communications protocol designed to mimic legitimate Transport Layer Security (TLS) traffic, so that shell commands and responses can blend in with normal network activity. StarProxy's main job is to facilitate lateral spread post-compromise, leveraging one compromised host to connect to many others in a network, including those which may not otherwise be connected to the internet. Related:'InstallFix' Attacks Spread Fake Claude Code Sites Last but not least, there's "SplatCloak," a driver which Mustang Panda uses to handicap Windows Defender and Kaspersky antivirus software. It does this by identifying and disabling the callbacks these programs make at the kernel level, preventing them from effectively flagging otherwise suspicious activity that different Mustang Panda malware might be carrying out on the same machine. Unlike those other user-mode malware tools, SplatCloak has to be dropped with "SplatDropper," a utility that deletes itself after it serves this one purpose. In summary, Zscaler wrote in its blog post, "Mustang Panda demonstrates a calculated approach to achieving their objectives. Continuous updates, new tooling, and layered obfuscation prolongs the group's operational security and improves the efficacy of attacks." Related:VMware Aria Operations Bug Exploited, Cloud Resources at Risk About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like СLOUD SECURITY Phishing Empire Runs Undetected on Google, Cloudflare by Elizabeth Montalbano, Contributing Writer SEP 04, 2025 СLOUD SECURITY Scattered Spider Taps CFO Account in 'Scorched Earth' Breach by Rob Wright JUN 27, 2025 СLOUD SECURITY SANS Top 5: Cyber Has Busted Out of the SOC by Becky Bracken MAY 01, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use