Full Report
Uncovering massive Red Delta, APT41 infrastructure and possible overlaps
Analysis Summary
# Threat Actor: Mustang Panda (Red Delta) and potential overlap with APT41
## Attribution & Identity
- **Primary Actor Identified:** Mustang Panda (also referred to as Red Delta).
- **Attribution:** China-based cyber espionage threat actor.
- **Historical Observation:** First observed in 2017, potentially active since at least 2014.
- **Potential Overlap:** Analysis of infrastructure suggests potential operational overlap or shared infrastructure with **APT41**.
## Activity Summary
The analysis was initiated by pivoting from malware associated with Red Delta infrastructure. The investigation focused on identifying common infrastructure (C2, domains, IPs) across indicators linked to Red Delta/Mustang Panda, specifically using pivoting techniques based on host banners, JARM fingerprints, and ASN grouping. This process uncovered infrastructure heavily associated with **PlugX** malware, directly linking back to Mustang Panda/Red Delta, and revealed findings strongly associated with **APT41**.
## Tactics, Techniques & Procedures
- **Malware Usage:** Utilization of **PlugX** malware.
- **Infrastructure Pivoting:** Techniques employed include pivoting based on:
- Initial domain/IP indicators.
- Host response banners (Header Hash and Banner Hash).
- JARM Fingerprints (`07d0bd16d21d21d07c07d0bd07d21dd7fc4c7c6ef19b77a4ca0787979cdc13`).
- ASN grouping to identify favored hosting providers.
## Targeting
- **Sectors:** Government entities, nonprofits, religious organizations, and other non-governmental organizations (NGOs).
- **Geography:** U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam.
- **Victims:** Specific victim organizations are not named, but the focus is on the sectors listed above.
## Tools & Infrastructure
- **Malware families used:** PlugX.
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Initial Domain/IP: `jpkinki[.]com` hosted at `139.180.192[.]163`
- Other observed IPs/Domains linked via host banner pivots: `haberciinternational[.]com`
- IPs associated with AS 20473: `166.88.117[.]11`, `103.79.120[.]67`, `103.79.120[.]70`, `45.195.69[.]111`, `103.79.120[.]74`, `139.180.192[.]163`, `223.26.52[.]245`, `146.66.215[.]19`, `103.79.120[.]71`, `103.79.120[.]85`, `96.43.101[.]248`, `103.79.120[.]69`, `45.133.239[.]188`, `38.54.85[.]112`, `45.32.105[.]184`, `173.199.71[.]152`, `45.152.65[.]213`, `103.79.120[.]89`, `45.152.66[.]25`, `83.229.127[.]115`, `38.89.72[.]133`.
- Infrastructure exhibiting high overlap with APT41/PlugX found via Header Hash `74003aa800b6e7effc1c` (detailed IP/domain list not fully listed in summarized format).
## Implications
The discovery suggests a high degree of infrastructure consolidation or shared operational space between the state-sponsored espionage group Mustang Panda and APT41. This overlap increases the complexity of attribution and defense, as indicators related to one group might lead directly to the infrastructure of the other. The confirmed use of PlugX indicates established, well-known attack chains are still favored.
## Mitigations
- **Indicator Pivoting:** Utilize non-traditional correlation points like HTTP Host Banners, JARM fingerprints, and ASN grouping for deeper infrastructure discovery, especially when established indicators deplete.
- **Monitoring PlugX Artifacts:** Maintain robust detection signatures for PlugX malware variants.
- **Network Segmentation:** Ensure stringent network segmentation to limit lateral movement if initial intrusions utilizing these actors' common C2 infrastructure are successful.
- **ASN Whitelisting/Blacklisting:** Investigate and potentially flag or monitor traffic originating from key Autonomous Systems identified as hosting significant attacker infrastructure (e.g., AS 20473, AS 139659).