Hunting Pandas

Hunting Pandas
By: Vasilis Orlof
2025-04-04
general

It all started with the malware analysis report by somedieyoung linking the malware to Mustang Panda/Red Delta

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.

Analysis

Using the report we can generate the following IoC diagram (you can read the full analysis here)

Figure. Indicator diagram from a recent Mustang Panda investigation.

Figure. Indicator diagram from a recent Mustang Panda investigation.

We’ll begin our hunt at the first domain found in the malware analysis, jpkinki[.]com hosted at 139.180.192[.]163. When it comes to IPs, I will completely ignore Cloudflare’s ASN as we can’t really pivot from them.

  • jpkinki[.]com
  • 139.180.192[.]163
Figure. Discovering the possible origin IP for the domain jpkinki[.]com using Validin’s host connections.

Figure. Discovering the possible origin IP for the domain jpkinki[.]com using Validin’s host connections.

Host Banner Pivot

Using Validin, we can review the domain for interesting pivots. The host banners pivot reveals 5 related domains and IPs (4 net new), some of which have been previously tagged as PlugX, indicating we are on the right path.

Figure. Finding the unique host banner associated with the starting IP.

Figure. Finding the unique host banner associated with the starting IP.

Figure. Finding other indicators with identical banner hashes, some of which are associated with PlugX.

Figure. Finding other indicators with identical banner hashes, some of which are associated with PlugX.

After a recent update, Validin conveniently groups the results in different pages making it easier to review and pivot. In our case, the host response banner was captured for ports 443 and 8088, giving us 2 unique Banner Hashes.

To expand our findings we’ll go over the result, pivot on the Banner Hash, and start grouping our findings.

We will also perform ASN analysis to see if the threat actor favors specific ASNs for their infra deployment.

Figure. Viewing the banners associated with different pivots and their related features.

Figure. Viewing the banners associated with different pivots and their related features.

Indicators associated by banner hash.
# Host Banner 97dc22b3d6a00ef55d774041bc3b615f
139.180.192[.]163 - AS 20473
45.133.239[.]188 - AS 6134
38.54.85[.]112 - AS 138915
haberciinternational[.]com
gclm[.]name

# Host Banner e30fb7845d2cda285b40e57001cfdb71
139.180.192[.]163 - AS 20473
45.133.239[.]188 - AS 6134
45.32.105[.]184 - AS 20473
173.199.71[.]152 - AS 20473
45.152.65[.]213 - AS 139659
103.79.120[.]89 - AS 137443
45.152.66[.]25 - AS 139659
haberciinternational[.]com
83.229.127[.]115 - AS 139659
38.89.72[.]133 - AS 174

Sure enough, we dee that there is overlap on the AS, which is something that might help us create a hunting rule:

  • AS 139659
  • AS 20473
Figure. Updated indicator diagram showing the connections between indicator features, IPs, domains, and ASNs.

Figure. Updated indicator diagram showing the connections between indicator features, IPs, domains, and ASNs.

JARM Pivot

Since we see a pattern forming regarding the ASN, we’ll follow that trail. Examining the host 45.76.132[.]25 we can see an interesting pivot on the JARM Fingerprint, leading us to additional findings. Some of them matching our previous rules and some already reported as PlugX malware (used by Mustang Panda / RedDelta).

  • 07d0bd16d21d21d07c07d0bd07d21dd7fc4c7c6ef19b77a4ca0787979cdc13
Figure. A small number of indicators sharing identical TLS configurations, resulting in concentrated JARM overlap.

Figure. A small number of indicators sharing identical TLS configurations, resulting in concentrated JARM overlap.

Now armed with more indicators, we can create groupings and focus on the hosts of the top 3 AS to create new associations and patterns that will lead us to additional infrastructure.

Validin generates the Header Hash and Banner Hash based on the keys in the header of HTTP responses which, in combination with the JARM, makes them strong points for identifying similarly-configured web servers.

Figure. Distribution of unique IPs found on each ASN.

Figure. Distribution of unique IPs found on each ASN.

Figure. IP/ASN relationships for the most commonly-observed IPs.

Figure. IP/ASN relationships for the most commonly-observed IPs.

Response Banners + JARM + ASN

After analysing all the banner and header responses I gathered the following interesting data per AS.

AS 20473

  • Server: nginx/1.22.1
  • Header Hash: d7001d5eaca56712100c
  • JARM: 2ad2ad0002ad2ad00042d42d00000000f78d2dc0ce6e5bbc5b8149a4872356
  • JARM: 2ad2ad0002ad2ad22c2ad2ad2ad2ad703dc1bf20eb9604decefea997eabff7

Pivoting on the Header Hash returns 12 unique hosts matching our parameters, some already associated with PlugX so I would say these findings can be attributed to the threat actor with high confidence.

Figure. The header and banner hashes associated with one of the indicators.

Figure. The header and banner hashes associated with one of the indicators.

Related IPs on AS 20473
166.88.117[.]11
103.79.120[.]67
103.79.120[.]70
45.195.69[.]111
103.79.120[.]74
139.180.192[.]163
223.26.52[.]245
146.66.215[.]19
103.79.120[.]71
103.79.120[.]85
96.43.101[.]248
103.79.120[.]69

AS 135377

The JARM associated with the finding on this AS is the one we saw earlier so I focused on other findings. The Header Hash 74003aa800b6e7effc1c returns over 400 IPs & domains heavily associated with PlugX, RedDelta (Mustang Panda) and more interestingly APT41 indicating a potential overlap.

* APT41 is known for conducting both state-sponsored espionage and financially motivated operations, while RedDelta has been reported to target government entities and utilize malware

** The results from this pivot might include some False Positives so I’ll include these findings under “Medium Confidence” section on the IoC list

Header hash and JARM pivots used.

  • Header hash: 74003aa800b6e7effc1c
  • JARM: 07d0bd16d21d21d07c07d0bd07d21dd7fc4c7c6ef19b77a4ca0787979cdc13
Figure. Checking indicators against VirusTotal and ThreatFox.

Figure. Checking indicators against VirusTotal and ThreatFox.

Figure. Highlighting existing indicator attribution from the header hash pivot. Note that this might include false positives, but highlights the uniqueness of the underlying tooling used.

Figure. Highlighting existing indicator attribution from the header hash pivot. Note that this might include false positives, but highlights the uniqueness of the underlying tooling used.

Conclusion

We started from a few indicators associated with Red Delta infra and through pivoting we managed to discover additional infra and potential operational overlaps between Red Delta and APT41.

Special thanks to Michal Koczwara for sharing the initial report that launched this investigation and Kenneth Kinion for his support with the Validin Platform.

Ready to elevate your threat hunting, threat attribution, and incident response efforts? Whether you’re an individual analyst or part of a larger enterprise team, Validin offers solutions that meet your needs. Individual users can create a free account and self-upgrade to access more advanced features and data.

Part of a team? Contact us today to explore our enterprise options and discover how Validin can provide your teams with powerful tools unparalleled data. Let Validin help you work smarter, faster, and more effectively in the fight against cyber threats.

Eliminate blind spots with comprehensive DNS history.

Contact us for a demo