Find notable cyber news and cases, enriched with sources, timelines, and signals.

Mustang Panda ToneShell kernel-mode loader campaign against Asian government organizations

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

A Mustang Panda campaign is using ToneShell delivered through a kernel-mode loader to hide malicious activity from security tools while targeting government organizations across Asia. The operation has been active since at least February 2025 and has been seen in Myanmar, Thailand, and other Asian countries. The loader and rootkit-style controls increase the group’s stealth and resilience. The campaign matters because it combines espionage targeting with malware delivery designed to evade detection.

Related Happenings

StrikeShark SharkLoader and Cobalt Strike Beacon campaign

Campaign
H score42 First: 26.06.2026 21:17 Last: 26.06.2026 21:17 Sources 1

About this happening: The **StrikeShark** campaign is deploying **SharkLoader** to load **Cobalt Strike Beacon** on compromised hosts, raising the risk of broader follow-on intrusion activity. It has t...

OceanLotus SPECTRALVIPER campaigns targeting Vietnam

Campaign
H score33 First: 11.06.2026 12:45 Last: 11.06.2026 12:45 Sources 1

About this happening: **OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...

OP-512 Microsoft IIS espionage campaign

Campaign
H score52 First: 05.06.2026 15:33 Last: 05.06.2026 15:33 Sources 1

About this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
H score38 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign

Campaign
H score40 First: 14.05.2026 18:00 Last: 14.05.2026 18:00 Sources 1

About this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...

Timeline

  1. 30.12.2025 02:08 2 articles · 6mo ago

    Kaspersky discloses Mustang Panda ToneShell rootkit delivery

    Initial Disclosure

    Kaspersky disclosed a new ToneShell backdoor sample attributed with high confidence to Mustang Panda, also known as HoneyMyte or Bronze President, and said the malware was being delivered through the kernel-mode loader ProjectConfiguration.sys in attacks against government organizations in Myanmar, Thailand, and other Asian countries. The analysis described stolen-or-leaked signing material issued to Guangzhou Kingteller Technology Co., Ltd., fake TLS headers, a 4-byte host ID scheme, file-system and registry interception, and interference with Microsoft Defender through WdFilter.

    Show sources