Skip to content
Threat Feed
medium threat

Mustang Panda USB-Borne Tool Execution

This brief details detection of executables associated with Mustang Panda being launched from non-standard locations, potentially indicating compromise via USB or other removable media.

This threat brief focuses on identifying potential intrusions by the Mustang Panda APT group through the execution of known malicious or side-loaded executables from atypical locations, specifically external or USB drives. The detection is based on identifying processes running outside of the standard C:\ drive which are known to be used by the Mustang Panda APT. The original detection logic was published on 2026-04-13. Defenders should be aware that this detection might require adjustments based on their specific system configurations and drive mappings. It highlights the importance of monitoring for suspicious process execution from removable media, a common initial access vector used by threat actors like Mustang Panda.

Attack Chain

  1. The attacker gains initial access by delivering malware via a USB drive or other external storage device. (T1020)
  2. The user unknowingly executes a malicious executable from the USB drive, initiating the infection. (T1204.002)
  3. The malicious executable, often disguised with a legitimate-sounding name, may perform DLL side-loading. (T1574.001)
  4. The side-loaded DLL then executes malicious code within the context of the legitimate process.
  5. The malicious process attempts to establish persistence on the compromised system.
  6. The malware gathers system information and potentially exfiltrates it to a command-and-control server.
  7. Lateral movement may occur to other systems within the network.
  8. The final objective is data theft and espionage.

Impact

A successful attack could lead to the compromise of sensitive data, intellectual property theft, and disruption of critical business operations. While the specific number of victims is unknown, Mustang Panda has been linked to targeting government agencies and opposition groups. The use of USB drives as an attack vector poses a significant risk, especially in environments with weak endpoint security controls.

Recommendation

  • Deploy the Sigma rules provided in this brief to your SIEM to detect the execution of known Mustang Panda tools from non-standard paths.
  • Implement policies to restrict the use of unauthorized USB drives within your organization.
  • Educate users about the risks associated with executing files from untrusted sources, especially external storage devices.
  • Investigate and validate any alerts generated by the Sigma rules, focusing on the process_path, parent_process_name and dest fields.

Detection coverage 2

Detect Mustang Panda Tool Execution from Non-C Drive

medium

Detects known executables used by Mustang Panda being launched from a non-C:\ location.

sigma tactics: execution, initial_access techniques: T1020, T1204.002, T1574.001 sources: process_creation, windows

Detect Mustang Panda Tool Execution from Temp Directory

medium

Detects known executables used by Mustang Panda being launched from the temp directory.

sigma tactics: execution, initial_access techniques: T1020, T1204.002, T1574.001 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →