Chinese hacking group Mustang Panda has returned with a new wave of cyber tools, according to a report by cybersecurity firm Zscaler. The group, known for targeting governments and NGOs in Asia and Europe, recently hit an organization in Myanmar using updated malware and stealthy tactics.
Mustang Panda—also called Basin, Bronze President, Earth Preta, and Red Delta—has operated for over a decade. The group is state-sponsored and often focuses on espionage. In the U.S., it previously infected over 4,000 systems with PlugX malware. That campaign ended earlier this year when the FBI and French police wiped the malware using its own self-delete feature.
But the threat actor is not slowing down. Zscaler’s research shows that Mustang Panda is now using an upgraded version of its ToneShell backdoor, along with new tools called StarProxy, Paklog, Corklog, and a stealth driver known as SplatCloak.
In the recent attack, the group used a method called DLL sideloading to hide its tools. This involves loading malicious code through a trusted but vulnerable program. Each archive contains both the malicious file and a legitimate executable that triggers it.
ToneShell, a core tool in the group’s kit, acts as a second-stage backdoor. It allows attackers to manage files and launch more malware after gaining access. Zscaler found three new ToneShell versions, each using a fake TLS encryption protocol for command-and-control communication. This update helps the malware bypass network defenses.
Another new tool, StarProxy, was built to move through networks after the initial infection. It tunnels traffic between infected machines and remote servers using TCP and the FakeTLS protocol. Zscaler believes the hackers use StarProxy to reach systems that are not directly online.
The group also added two keyloggers—Paklog and Corklog. Paklog uses Windows tools to log keystrokes and track clipboard activity. It stores this data on the local machine but doesn’t send it anywhere. Corklog, on the other hand, encrypts the stolen data and creates tasks or services to stay active on the system.
To disable security software, the hackers deployed SplatCloak, a custom driver delivered through a tool called SplatDropper. SplatCloak turns off Windows Defender and Kaspersky protection, removes system alerts, and hides itself by resolving Windows functions in real-time.
Zscaler says the use of ToneShell and the technical design of these new tools match previous Mustang Panda malware. Shared features include RC4 encryption, control flow flattening, and mixed boolean logic—all signs of the group’s work.
This campaign confirms that Mustang Panda is refining its tools and tactics. Despite setbacks, it continues to evolve—and its focus on stealth and persistence makes it a growing threat in the cybersecurity world.
