Date: 06/10/2026
Severity: High
Summary
Mustang Panda campaign that delivers the PlugX RAT through a multi-stage infection chain starting with a malicious LNK file and PowerShell loader. The attack uses DLL sideloading, encrypted shellcode, API hashing, and in-memory execution techniques to evade detection and complicate analysis. The final PlugX payload establishes persistent access and communicates with its command-and-control (C2) infrastructure over HTTPS. The campaign demonstrates Mustang Panda's continued use of sophisticated, layered malware delivery mechanisms targeting government and diplomatic entities.
Indicators of Compromise (IOC) List
IP Address: | 45.251.243.210 |
Hash : | 79af67ed343bc45b6a19e4836ebb83f1130243ff98f48465f9a7a807ba4bfa91
106f46375d8497d353c22c98f72ab15a9bb87beba4585d5a492fd11edc288b0b
4cd81d26289c4d8383a0ffa34397f0b03941554eac04f1b420269b831accf90e
d4bc21e12360af2f2cb55872a90b62805150d498c452b2b1c6a05a806cbb3187
b52c484a3cc383dd3b4dc79c207946b603a810edf74bff76dca7ad29d4de4167
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("45.251.243.210") or srcipaddress IN ("45.251.243.210") |
Detection Query 2 : | sha256hash IN ("79af67ed343bc45b6a19e4836ebb83f1130243ff98f48465f9a7a807ba4bfa91","d4bc21e12360af2f2cb55872a90b62805150d498c452b2b1c6a05a806cbb3187","4cd81d26289c4d8383a0ffa34397f0b03941554eac04f1b420269b831accf90e","b52c484a3cc383dd3b4dc79c207946b603a810edf74bff76dca7ad29d4de4167","106f46375d8497d353c22c98f72ab15a9bb87beba4585d5a492fd11edc288b0b")
|
Reference:
https://bluecyber.hashnode.dev/mustang-panda-x-plugx-analysis-of-the-january-2026-sample-a-multi-layer-execution-chain