Mustang Panda—also known in industry and government reporting as BASIN, BRONZE PRESIDENT, CAMARO DRAGON, EARTH PRETA, FIREANT, G0129, HIVE015, HoneyMyte, LUMINOUS MOTH, Polaris, RedDelta, STATELY TAURUS, TA416, TANTALUM, TEMP.HEX, TWILL TYPHOON, or UNC6384—is a highly active, state-sponsored Chinese cyber-espionage group assessed to operate under the People’s Republic of China (PRC). Active for over a decade, the group is distinguished by its high operational tempo and “volume over stealth” approach to espionage.

Mustang Panda has consistently targeted entities that intersect with Beijing’s geopolitical priorities, particularly government and diplomatic institutions, maritime logistics organizations, and religious institutions. Their campaigns demonstrate a persistent focus on intelligence collection related to foreign policy, trade routes, and sensitive diplomatic engagements.

Multiple cybersecurity vendors and government agencies assess with high confidence that Mustang Panda operates in alignment with PRC strategic objectives, based on victimology patterns, infrastructure choices, and activity timing that aligns with Chinese working hours (UTC+8).

The new Mustang Panda Dashboard in ThreatConnect offers security teams centralized visibility into this highly active and adaptable adversary.

Key Benefits:

• Centralized Intelligence: Aggregates Mustang Panda-related IOCs, TTPs, malware families, and campaign telemetry from open sources, commercial feeds, and internal data.
• Continuous Threat Tracking: Monitors real-time updates on actor infrastructure, targeting patterns, and evolving tradecraft.
• Accelerated Incident Response: Provides enriched, contextual intelligence to reduce detection-to-response timelines.
• Visual Reporting & Executive Insights: Interactive charts, timelines, and executive-ready dashboards support risk prioritization and communication.
• Automated Correlation: Leverages ThreatConnect’s automation engine to map Mustang Panda indicators across intrusion sets, malware families, and victim profiles.

Mustang Panda’s consistent targeting of government, diplomatic, and maritime entities underscores the ongoing risk to sensitive political and economic interests worldwide. 

The Mustang Panda Dashboard equips defenders with the ability to visualize campaigns, correlate activity, and act decisively—directly within the ThreatConnect platform.

Note: To maximize the value of this dashboard, organizations may benefit from integration with premium threat intelligence sources such as Dataminr, Mandiant, Recorded Future, or CrowdStrike.

Lead Contributor – Travis Meyers, Customer Success Manager

To gain access to the Mustang Panda Dashboard, please connect with your Customer Success team or reach out to us through our contact form.

Further Resources

For more detailed information and resources on Salt Typhoon, please refer to the following:

We urge all organizations to remain vigilant and proactive in their cybersecurity efforts. By implementing these recommendations, you can significantly reduce your risk and protect your critical assets.

Mustang Panda Known Exploited Vulnerabilities

The post Mustang Panda Intelligence Dashboard Immediately Available for ThreatConnect appeared first on ThreatConnect.

The Advanced Persistent Talent series profiles ThreatConnect employees and explores how their work impacts products and offerings, how they got here, and their views on the industry at large. Want to know more about a particular team? Let us know!

As a seasoned marketer in the cybersecurity space, Dan Cole has heard all of the old product narratives before — from “attackers are outpacing security teams faster than ever” to “alert fatigue is overwhelming analysts.” In an industry where the work is both complex and, to some, a little dry, it can be tricky to come up with new, flashy ways to tell a brand story. That’s why Cole always starts with what matters most: helping analysts do work with real impact.

“We’re really trying to help these analysts prioritize work that actually helps them feel like they are making a difference,” Cole says. Sometimes that means explaining ways to use tools like ThreatConnect’s Risk Quantifier to attach real dollar figures to the results threat intelligence provides. And other times, it means finding new ways to share best practices — like, say, by comparing them to Star Wars. 

Whatever he might be working on, Cole wants to make sure ThreatConnect’s products solve the biggest real-world problems facing clients. And as for when he’s outside of work? You’ll probably find him outside photographing and, sometimes, rescuing wild foxes.

The following conversation has been edited for clarity and length.

How did you get into threat intelligence, and what does your role look like day to day?

Dan Cole: I was a product manager for almost 15 years in a variety of industries, but then I was hired at ThreatConnect 10 years ago as part of their series B to lead and build out their product management team. I’ve kind of shifted roles since then, but it involves spending a lot of time with customers to understand their pain points, understand where they’re running into roadblocks, and make sure that our roadmap is prioritized to remove those roadblocks. Since then my role has shifted to help educate the market on some of the best ways to remove those roadblocks – ideally with our products!

Pretty much everything I learned about threat intelligence, I learned from our customers and the challenges that they are actively facing every single day.

What is the most challenging part of your job?

The most challenging part of my job is ensuring that what we are doing helps people feel like they matter. We all want to feel like the work we’re doing is making some kind of impact and moving some kind of needle. Like it’s not just busy work that’s going to end up in the trash. 

Every vendor talks about alert fatigue and how overwhelming it can be. Studies clearly show the impact that those sorts of things have on the emotional well being of these analysts. But our goal isn’t just to help analysts feel less overwhelmed. We’re really trying to help these analysts prioritize work that actually helps them feel like they are making a difference.

I saw you’ve used Star Wars as an analogy for the threat gap in a webinar before. What gave you the idea to do that?

We want to stand out in the industry and make things a little fun. Considering the toll that this work takes on the mental health of these analysts, if we can give them a break with something a little entertaining, great. It’s better than another dry corporate webinar where someone is just pitching their product. It’s about evangelizing not just our products, but the different approaches to cyber defense that can make analysts more effective in their roles.

You’ve also written about how cybersecurity professionals can use AI as a teammate. How would you describe the potential and the risks associated with AI? 

The way one customer put it to me was that AI is kind of the world’s smartest intern. I might trust an intern to do research, but I’m not going to let them push the big red button or handle something that might blow up our security stack. 

One big risk is that AI can be a black box; you might not be able to really understand how it reached its conclusion. It’s very easy to add an LLM to an existing security product, but it can be hard to know if the underlying data that that LLM uses is any good. But at ThreatConnect, we have the DNA of being a data company. We have billions of records and 1.2 million different sources of data. So the LLMs that we put on top of our products have access to data that is vetted and high fidelity and reliable, and we can be transparent and provide receipts. So when you hire that “intern,” you can trust the data that they are running out to gather is solid.

That would make a huge difference. And how do you spend your time outside of ThreatConnect?

I am an amateur wildlife photographer. I also do wildlife rescue, including volunteering at a rescue focused on saving foxes from fur farms. I enjoy all things food — from gardening, to actually growing the food, to cooking, to actually making the food, to going out to restaurants to enjoy food without having to do dishes. I also love backpacking and being outdoors.

Which rescue organization do you work with, and what’s that like as a hobby? 

It’s called the Wildlife Rescue League. I also work with Save a Fox out of Minnesota. And it’s not easy. When wild animals are injured or sick, they don’t want to be trapped. But we have an entire network of rescuers, transporters, vets, and rehabilitators. 

Just this past Sunday, I picked up a raccoon that had pneumonia, put him in the back of my car, and drove him to a rehabilitator where he’s going to get some antibiotics, get some rest, and eventually be released back into the wild.

What other types of animals have you rescued?

Foxes are my favorite, but I’ve also gotten to release a one-eyed owl back into the wild. I’ve done turkey vultures, which are super cool. And one time, I had a red shouldered hawk, which spent the entire car ride screaming at the top of its lungs. It was still super fun.

Do you have some sort of enclosure in your backseat to transport these animals?

Sometimes it’s just a cardboard box, and sometimes a cage. Luckily, I’ve never had an escapee, but it has happened to others.

I’d wondered about that. Why are foxes your favorite?

Gosh, I’m trying to think of a way to loop them back to the theme of threat intelligence. 

If you could do that, it would be great for this article!

I’ll start a sentence, and eventually I’ll find my way there. First of all, they’re beautiful. They are misunderstood. And just like I like to stand up for the intelligence analysts, I’m a fan of the underdog. I want to stand up for the little guy. But foxes are extremely clever. They’re this perfect mix of curiosity and bravery and caution, and they’re very adaptable.

When I think about threat intelligence and cybersecurity, I do think good analysts also have a healthy mix of curiosity, bravery and caution. You want to be bold, because the attackers certainly are, but you also want to be cautious and not make mistakes when you’re taking a blocking action or promoting a new strategy. And certainly, you have to be extremely clever and extremely adaptable. For example, as adversaries start leveraging AI more and more, we need to adapt the way we do cyber defense so that we can stay ahead of those threats.

Nicely done with that metaphor. And has wildlife rescue also made you better at wildlife photography?

Yeah, 100%. Foxes, especially, have such varied personalities. You can just tell they let the intrusive thoughts win. Now that I’ve gotten to know their personalities, it’s helped me not only work with them but also figure out what I want to bring out in my photos. If I’ve got a fox that is particularly spicy, I want to find an opportunity to showcase that.

The post Why ThreatConnect’s VP of Product Marketing Spends His Off Hours Rescuing Wild Foxes appeared first on ThreatConnect.