Pandas with a purpose. [Research Saturday] - CyberWire Daily

Summary5 min read

Podcast Summary: CyberWire Daily – "Pandas with a Purpose" [Research Saturday]

Release Date: May 24, 2025
Host: Dave Bittner
Guest: Deepen Desai, Chief Security Officer and EVP of Cyber and AI Engineering at Zscaler

Introduction

In the May 24, 2025 episode of CyberWire Daily titled "Pandas with a Purpose", host Dave Bittner engages in an in-depth discussion with Deepen Desai from Zscaler. The conversation centers around the cyber threat group Mustang Panda, their latest campaigns, sophisticated tools, and strategies for detection and mitigation.

Understanding Mustang Panda

Deepen Desai begins by outlining Mustang Panda’s origins and traditional targets. Mustang Panda is a threat actor group of Chinese origin, primarily targeting:

Government Entities
Military Organizations
Minority Groups
Non-Governmental Organizations (NGOs)

While traditionally focused on East Asia, there have been instances of Mustang Panda targeting entities in Europe as well.

Quote:
"[Deepen Desai, 01:33] Mustang Panda is of Chinese origin, traditionally targeting government-related entities, military entities, minority groups, and NGOs primarily located in East Asia."

Latest Campaigns and Tools

Desai delves into Mustang Panda’s recent activities, highlighting the discovery of two significant tools:

Toneshell
- Description: An updated backdoor used by Mustang Panda.
- Enhancements: Improved stealth capabilities through modified fake TLS command and control (C2) communication protocols and advanced encryption methods.
Quote:
"[04:12] The Toneshell variant we observed is definitely stealthier, utilizing updated command and control communication protocols through fake TLS headers and encryption methods to evade detection."
Star Proxy
- Description: A new lateral movement tool facilitating the propagation within compromised networks.
- Functionality: Acts as a relay to allow attackers to access adjacent devices that are otherwise difficult to reach directly.
Quote:
"[05:13] Star Proxy serves as a relay, enabling attackers to use compromised systems to reach adjacent devices, facilitating lateral movement within the network."

Technical Details and Evasion Techniques

Desai provides a technical breakdown of how Mustang Panda enhances its operations:

Fake TLS Traffic:
Imitates legitimate TLS traffic to disguise C2 communications, making it harder for security systems to detect malicious patterns.
Custom Encryption Methods:
Utilizes unique encryption to prevent pattern-based detection by security engines.
DLL Code Injection:
Injects code into legitimate processes to perform malicious activities, although this method is relatively easier to detect compared to their other sophisticated techniques.
Persistence Tools:
Employs keyloggers (PAC log, cork log) and specific evasion tools like Splat Cloak to disable endpoint detection and response (EDR) functionalities.

Quote:
"[06:09] Mustang Panda employs techniques such as imitating TLS traffic, custom encryption methods, and DLL code injection. Additionally, they use tools like PAC log, cork log, and Splat Cloak to disable EDR functionalities, enhancing their persistence within compromised environments."

Targets and Objectives

Mustang Panda's activities are primarily espionage-focused rather than financially motivated. Their targets include:

Government and Military Entities:
Seeking sensitive information and strategic data.
Minority Groups and NGOs:
Aiming to disrupt or gather intelligence on specific groups.

Quote:
"[10:05] Mustang Panda's activities are espionage-focused rather than financially motivated."

Detection and Mitigation Strategies

Desai outlines a comprehensive approach for organizations to defend against Mustang Panda’s sophisticated attacks:

Defense in Depth:
Implement multiple layers of security controls to protect against various stages of an attack.
Zero Trust Strategy:
Adopting a zero-trust model to ensure that all access requests are authenticated and authorized, minimizing the attack surface.
TLS Inspection:
Utilize full TLS inspection at the network layer to detect disguised C2 traffic and malicious payloads.
Segmentation:
Properly segmenting networks to restrict lateral movement, making it harder for attackers to propagate once inside.
Data Loss Prevention (DLP):
Inspect all data egressing the environment to prevent unauthorized data exfiltration.
Advanced Controls via Zscaler Zero Trust Exchange:
- Sandboxing: Detonates suspicious payloads in controlled environments to analyze malicious behavior.
- Deception Honeypots: Deploys decoys to detect and contain malicious activities early in the attack lifecycle.

Quote:
"[10:14] Implementing a zero-trust strategy, conducting full TLS inspections, proper network segmentation, and deploying inline DLP solutions are critical in defending against Mustang Panda’s tactics."

Sophistication and Capabilities of Mustang Panda

Mustang Panda continues to evolve in sophistication, focusing on stealth and persistence:

Tool Enhancements:
Regular updates to their tools like Toneshell and the introduction of Star Proxy demonstrate their commitment to evading detection.
Resource-Intensive Operations:
The group is well-resourced, allowing them to develop and deploy advanced tools effectively.

Quote:
"[12:48] Mustang Panda's sophistication is increasing as they enhance their tools to become stealthier and disable endpoint controls, enabling longer persistence within targeted networks."

Recommendations and Takeaways for Security Professionals

Desai emphasizes key strategies for defenders:

Adopt Zero Trust Everywhere:
Critical for protecting crown jewel assets that are the primary targets of sophisticated threat actors.
Leverage AI in Security Operations:
While AI does not replace human security professionals, it enhances efficiency and efficacy in managing large-scale information and combating AI-driven threats.

Quote:
"[13:29] Implementing a zero-trust strategy and leveraging AI to fight AI are essential. While AI cannot replace security professionals, it significantly aids in managing and mitigating advanced threats."

Zscaler’s Role in Mitigating Threats

Desai elaborates on how Zscaler’s Zero Trust Exchange contributes to thwarting Mustang Panda’s attacks:

Secure Connectivity:
Ensures secure connections between entities, minimizing the risk of unauthorized access.
Advanced Threat Controls:
Features like sandboxing, deception, and inline DLP help detect and contain malicious activities.
Global Research Integration:
Continuous learning from threat signals helps Zscaler and its customers stay ahead of evolving threats.

Quote:
"[15:24] Zscaler's Zero Trust Exchange connects entities securely, employs advanced controls like sandboxing and deception, and integrates global threat intelligence to protect against sophisticated attacks like those from Mustang Panda."

Conclusion

The episode concludes with remarks on the persistent and evolving nature of threats posed by groups like Mustang Panda. The discussion underscores the necessity for robust, multi-layered security strategies and the integration of advanced tools and AI to effectively combat sophisticated cyber threats.

Quote:
"[17:01] Our thanks to Deepen Desai, Zscaler's Chief Security Officer, for joining us. The research follows Mustang Panda's latest campaign."

Produced by: Liz Stokes
Mixed by: Elliot Peltzman and Trey Hester
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe
Host: Dave Bittner

For more detailed insights and the latest in cybersecurity news, listen to CyberWire Daily and stay informed with expert analysis and discussions.

Loading summary

Transcript27 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network powered by N2K. Worried about cyber attacks? Cybercare from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts so if an incident occurs, your response is is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors and much more. The best part, 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
[01:33]
Deepen Desai
Mustang Panda is as Chinese origin, traditionally targets government related entities, military entities, minority groups and NGOs primarily located in East Asia.
[01:49]
Dave Bittner
That's deep in Desai Zscaler's chief security officer and EVP of cyber and AI engineering. Today we're looking into their recent work on Mustang Panda's latest campaigns.
[02:08]
Deepen Desai
There were a couple instances where we also saw them targeting entities in Europe. But the research that we will talk about today is where our analysis started with couple machines that were targeted in Myanmar region and then as part of that analysis we discovered lot of new things.
[02:33]
Dave Bittner
Well, let's dig into it together here. I mean as you mentioned, something prompted your group's attention and interest here. Can you take us through that story? What grabbed your attention and where did it lead?
[02:47]
Deepen Desai
Yeah, so there were a couple machines that we were securing that were going through that were based out of Myanmar and this is where we saw new backdoor actually a backdoor that was updated by Mustang Panda. The name of the backdoor is Toneshell. The updates that we noticed were changes to its fake TLS command and control communication protocol as well as some of the methods for creating and storing the infected machine identifiers. So that was one that the team noticed as part of the analysis of the payload. The second thing was a new discovery. This is where the team actually discovered a new lateral movement tool used by Mustang Panda that we have named Star Proxy. Again, it leverages fake TLS protocol to proxy traffic and facilitate attacker communication. But the main objective of the tool is to perform lateral propagation in the environment.
[03:59]
Dave Bittner
Well, let's dig into Toneshell first. What are some of the technical details here? My understanding is that this latest version has enhanced capabilities or even stealth.
[04:12]
Deepen Desai
Yeah, so cone shell variant that we saw in this case is definitely more stealthier. It has undergone updated command and control communication protocols and again that is through fake TLS headers and the encryption methods that they're using. So fake TLS for those that don't know that basically it imitates to be a real TLS traffic. And the goal over there is to basically disguise the protocol and try to evade detection and then they will leverage some form of encryption, which is what we saw in this case as well, to avoid any kind of pattern based detection engines that are trying to fingerprint this command and control protocol.
[05:04]
Dave Bittner
Interesting. Well, let's talk about starproxy. I mean how does it function within Mustang Pandas operations here?
[05:13]
Deepen Desai
So Star Proxy as I mentioned earlier, definitely a new tool for lateral movement. It does act as a relay and allows the attacker to use the compromised systems to reach adjacent devices that are harder for the attacker to access directly. So this is where they will target the users or the identity of interest. And the assumption is from that their machine they're able to get to the access that they need because these access are often not publicly exposed either. So this is where starproxy tool is being leveraged by the attacker to perform that lateral propagation to the device of interest.
[05:58]
Dave Bittner
I see. So in terms of evasion techniques, what kind of methods does Mustang Panda use to evade detection with these new tools?
[06:09]
Deepen Desai
So one of them I mentioned, this is where imitating TLS like traffic, that's one, custom encryption methods, that's another. They also support The Tone Shell variant 2 also supports DLL code injection. Now this is where basically they will inject the code and it will run as part of a legitimate process and perform the activity. Now DLL injection is not new. It's often easy for EDRs and antivirus to detect. But this is where we also saw a few more tools which Mushtank Panda is leveraging to maintain persistence. So the tools are a couple keyloggers, PAC log, cork log and then a specific evasion tool called Splat Cloak. This is what it uses to disable some of the functionality of the EDR that will catch what I just described earlier.
[07:18]
Dave Bittner
Interesting. And who are they targeting here? What organizations or sectors seem to be in their sites.
[07:26]
Deepen Desai
So their typical targets are government related entities, military entities, at times minority groups, NGOs and again the location is East Asia.
[07:44]
Dave Bittner
We'll be right back. And now a word from our sponsor. Spy cloud identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing. To neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwide and see what attackers already know. That's spycloud.com cyberwire hey everybody, Dave here. I've talked about Delete me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. So Mustang pandas activities seem to be espionage focused as opposed to making money.
[10:06]
Deepen Desai
That is correct.
[10:07]
Dave Bittner
Yeah. Let's talk about detection and mitigation here. What are your recommendations for organizations to protect themselves?
[10:15]
Deepen Desai
I mean one thing that is becoming more and more clear even on the crimeware side as we see today, all of these bad guys are following following. If I were to simplify four stages of attack over and over again. Number one is where they find you. This is where they're discovering your external attack surface. Whether it's any of your assets that are exposed to the Internet or a user identity that they want to go after. So that's basically identifying your attack surface. The second stage is, well, they will compromise that initially identified asset or identity or a user machine. And in that they will use several tooling. The third stage as well they will move laterally as was evident in case of this analysis that we published as well. We've seen cobalt stripe, we've seen many other post exploitation tooling used. In this case we saw A new one, starproxy being leveraged. So they will attempt to move laterally from that initially compromised asset. And then the last stage in majority of these scenarios even in case of espionage will be to steal data, whether it is selective data or bulk data that they will try to exfil out of the victim organization. So with those four stages in mind, this is where the defense in depth becomes important. Yes, we saw them disabling EDR in this case or EDR functionality, but EDR is still very important. But at the same time having solution that is inspecting with full TLS inspection at network layer is equally important. That's where we as zscaler help organization with Zscaler Zero Trust Exchange where we're terminating tls, we're inspecting payloads, we're detonating payloads in control environments like Sandbox. And then we also help minimize that lateral propagation risk with proper segmentation getting implemented. So having that segmentation implemented is equally important because users will make mistake one of the asset may get compromised and then the final piece is you need to inspect everything that egresses your environment, your machines, your servers for potential data exfiltration. This is where having an inline DLP solution with full TLS inspection is very important.
[12:43]
Dave Bittner
How do you rate Mustang Panda in terms of their level of sophistication?
[12:48]
Deepen Desai
They are look with the tooling that we saw in this, the sophistication continues to get better. They're trying to become more and more stealthier. They're trying to also disable controls on the endpoint. That way they are able to persist longer. So I would say they're improving.
[13:12]
Dave Bittner
I guess it's fair to say that if nothing else, they're well resourced.
[13:16]
Deepen Desai
They are well resourced. Yes.
[13:18]
Dave Bittner
Yeah. So in terms of takeaways for the security professionals in the audience, what sorts of things do they hope do you hope they come away with after checking out your research here?
[13:30]
Deepen Desai
Yeah, look, number one thing is like I described earlier, both crime where and nation state actors, they will get in from one vector or the other, but that their main goal is to get to that privileged or your crown jewel system where the information that your brand really cares about exists. So making sure you have that zero trust strategy everywhere implemented will be critical to protect that crown jail information. The second thing that I would call out is while we didn't see direct use of AI over here, we are starting to see AI being leveraged across the board by crime vet actors. We even saw that in the recent blockbuster leak how that are actively discussing leveraging AI across the attack stages. So the second point that I'll call out for the defender is while there is no AI solution that completely replaces us security professional and I don't see that happening in near future, we must leverage AI to fight AI and this is where it helps us become more efficient, improve our efficacy and help us deal with scaled information.
[14:55]
Dave Bittner
Help me understand you and your colleagues at zscaler. When you're looking at a group like Mustang Panda, how do you go about measuring their success rate of being able to have a view on how many attempts they're making, how many of those attempts are being thwarted and what methods are successful on their end? The places that they get in and then where they get stopped along the way. How do you all measure that?
[15:24]
Deepen Desai
So our visibility does come from our Zscaler Zero Trust Exchange. So as I described, I mean our main goal is to connect entity A to entity B and to do that securely. So when a nation state threat actor or a crime where operator manages to compromise a machine and then they're trying to do certain things, we have several advanced controls like sandboxing where we'll capture a payload and detonate it. In this case, many of the payloads we have full detonation report that flags some of the activity it would do on the endpoint. Then we have controls like deception. So these are honeypots that are deployed pretending to be real application in the environment. That does help flag a lot of these hands on keyboard activity because as we saw in this case as well, the STAR proxy is just providing access to a remote threat actor to perform that lateral propagation. Now if you are able to capture them in one of the decoys, again, we are able to contain that asset from doing any kind of lateral propagation. So there are a lot of these advanced proactive controls that are part of Zscaler Zero Trust Exchange, which helps toward these attacks. But then it also provides signals to our global research team from and we basically leverage that learning to share with communities and as well as our customers.
[17:02]
Dave Bittner
Our thanks to Deepen Desai, Zscaler's Chief Security Officer, for joining us. The research follows Mustang Panda's latest campaign. We'll have a link in the show. Notes this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.