PRC-Nexus threat actor Vertigo Panda, UNC6384 - close as patterns to Mustang Panda #1102
Description
Hello @adulau,
I would like to ask you when you have time to add a new entry for the threat actor Vertigo Panda.
In March 2025, Google Threat Intelligence Group (GTIG) identified a complex, multifaceted campaign attributed to the PRC-nexus threat actor UNC6384 (or also knows as Vertigo Panda). The campaign targeted diplomats in Southeast Asia and other entities globally. GTIG assesses this was likely in support of cyber espionage operations aligned with the strategic interests of the People's Republic of China (PRC) ref [1].
This is a China-linked threat actor targeting diplomatic entities globally. Their techniques include spearphishing attacks. They are known to have engaged in cyberespionage campaigns against European institutions and Asian diplomatic and public administration organisations. They are observed to use also NETO theme e-mails, workshops and meetings and other spearphishing on political topics which looks like legitimate.
Source ref:
1: PRC-Nexus threat actor Vertigo Panda
2: Mustang Panda is closely related to Vertigo Panda as patterns
3: Crowdstrike article, who are Vetigo Panda
4: Chinese State-Sponsored RedDelta overlap
Note: one of our recent reports is related to this threat actor.
Additional from ref [4]. - a PDF resource with details for RedDelta TA who overlaps with Vertigo Panda.
RedDelta closely overlaps with public reporting under the aliases BRONZE PRESIDENT, Mustang Panda, Stately Taurus, Earth Preta, Red Lich, TA416, HoneyMyte, Twill Typhoon, Vertigo Panda, and Dark Peony.
They use customized PlugX backdoor in their campaigns to infect hosts.