Mustang Panda / Hive0154 shows multiple active subclusters and frequent development cycles
Threat Actor Meta
Summary
Hide ▲
Show ▼
Hive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles, showing a large malware ecosystem that keeps refreshing its tooling. That matters because overlapping families and repeated reuse of techniques can hide operator specialization and make attribution harder. The ecosystem’s scale suggests sustained capacity to evolve loaders, backdoors, and delivery methods over time.
Related Happenings
Npm typosquatting campaign distributing WinOS 4.0 implant
Campaign
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
Npm typosquatting campaign distributing WinOS 4.0 implant
CampaignAbout this happening: A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
Campaign
First: 30.03.2026 10:00
Last: 30.03.2026 10:00
Sources 1
About this happening:
Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
CampaignAbout this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Shadow-Void-044 and Shadow-Earth-045 PeckBirdy cyber-espionage campaigns
Campaign
First: 28.01.2026 18:19
Last: 28.01.2026 18:19
Sources 1
About this happening:
Two **China-aligned** **PeckBirdy** espionage campaigns were identified, widening risk to **Chinese gambling websites**, **Asian government entities**, and a **Philippine educatio...
Shadow-Void-044 and Shadow-Earth-045 PeckBirdy cyber-espionage campaigns
CampaignAbout this happening: Two **China-aligned** **PeckBirdy** espionage campaigns were identified, widening risk to **Chinese gambling websites**, **Asian government entities**, and a **Philippine educatio...
Rival cybercrime exposure campaign destabilizes the Lumma Stealer ecosystem
Threat Actor Meta
First: 21.10.2025 11:00
Last: 21.10.2025 11:00
Sources 1
About this happening:
A **rival doxxing campaign** has put the **Lumma Stealer** underground ecosystem under pressure, exposing alleged operators and weakening trust in the service. The campaign matter...
Rival cybercrime exposure campaign destabilizes the Lumma Stealer ecosystem
Threat Actor MetaAbout this happening: A **rival doxxing campaign** has put the **Lumma Stealer** underground ecosystem under pressure, exposing alleged operators and weakening trust in the service. The campaign matter...
Timeline
-
15.09.2025 21:45 2 articles · 8mo ago
Initial report: Mustang Panda / Hive0154 shows multiple active subclusters and frequent development cycles
Initial DisclosureEarly-stage evidence centers on a **Hive0154** cluster that is no longer behaving like a single actor stream. The immediate shift is a visible move toward **subcluster-based malware development** with shared tooling patterns and recurring overlap.
Show sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45