Back

Mustang Panda Launches PlugX RAT Campaign via Fake Browser Update

Severity: High (Score: 75.5)

Sources: Cybersecuritynews, Gbhackers

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: mustang, panda, plugx, through, multi, powershell, group

Severity indicators: rat

Summary

Mustang Panda, a Chinese state-sponsored threat group, has initiated a cyberattack campaign deploying the PlugX remote access tool (RAT). The attack utilizes a fake browser updater to trick users into downloading a multi-stage malware loader. This loader employs a combination of LNK and PowerShell scripts to sideload PlugX through a legitimate antivirus binary. The malware communicates with a hard-coded command and control (C2) server over HTTPS, using layered encryption to conceal its configuration. The campaign is characterized by its sophisticated methods and is indicative of the group's ongoing focus on espionage and data theft. Organizations using G DATA antivirus software may be particularly vulnerable to this attack. The current status of the campaign is active, with ongoing monitoring required. Key Points: • Mustang Panda is deploying PlugX RAT through a fake browser updater. • The attack uses a multi-stage LNK and PowerShell loader to sideload malware. • G DATA antivirus users are specifically targeted in this campaign.

Detailed Analysis

**Impact** The campaign targets users who are tricked into installing a fake browser update, potentially affecting any organization or individual using targeted browsers. No specific sectors, geographies, or victim counts are provided. The malware enables remote access, risking data exfiltration, system control, and operational disruption. **Technical Details** Mustang Panda employs a multi-stage infection chain starting with a fake browser updater delivering a loader via LNK and PowerShell scripts. The loader sideloads the PlugX RAT through a legitimate G DATA antivirus binary. Communication with a hard-coded C2 server occurs over HTTPS, with configuration and strings protected by layered encryption and API hashing. No CVEs or specific IOCs are reported in the articles. **Recommended Response** Defenders should monitor for suspicious LNK and PowerShell activity, especially those invoking G DATA antivirus binaries. Network monitoring for unusual HTTPS connections to unknown or hard-coded domains is advised. Implement application whitelisting and educate users to avoid installing unsolicited browser updates. No patch information is available from the sources.

Source articles (2)

  • Mustang Panda Uses LNK, PowerShell Chain to Deploy PlugX RAT — Gbhackers · 2026-06-02
    Mustang Panda is using a fake “Browser Updater” and a multi‑stage LNK–PowerShell loader to sideload PlugX through a legitimate G DATA antivirus binary, ultimately beaconing over HTTPS to a hard‑coded…
  • Mustang Panda Deploys PlugX RAT Through Multi — Cybersecuritynews · 2026-06-02
    A well-known Chinese state- threat group called Mustang Panda has been caught running a sophisticated cyberattack campaign using its signature remote access tool, PlugX. The group used a cleverly disg…

Timeline

  • 2026-06-02 — Mustang Panda cyberattack campaign reported: Mustang Panda is using a fake browser updater to deploy PlugX RAT via a multi-stage loader, affecting users of G DATA antivirus.
  • 2026-06-02 — Attack method detailed: The campaign utilizes LNK and PowerShell scripts to sideload PlugX, hiding its communication behind encryption.

Related entities

  • Mustang Panda (Apt Group)
  • Malware (Attack Type)
  • China (Country)
  • PlugX (Malware)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • G DATA Antivirus (Tool)
  • PowerShell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed