Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Mustang Panda ToneShell kernel-mode loader campaign against Asian government organizations

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A Mustang Panda campaign is using ToneShell delivered through a kernel-mode loader to hide malicious activity from security tools while targeting government organizations across Asia. The operation has been active since at least February 2025 and has been seen in Myanmar, Thailand, and other Asian countries. The loader and rootkit-style controls increase the group’s stealth and resilience. The campaign matters because it combines espionage targeting with malware delivery designed to evade detection.

Related Happenings

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

Open Happening

Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign

Campaign
First: 14.05.2026 18:00 Last: 14.05.2026 18:00 Sources 1

About this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...

Open Happening

LotusLite backdoor delivered via DLL sideloading

Malware Activity
First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **LotusLite** backdoor is being delivered through **malicious files** and **DLL sideloading**, creating a remote-access malware activity that supports **espionage**. The opera...

Open Happening

Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign

Campaign
First: 30.03.2026 10:00 Last: 30.03.2026 10:00 Sources 1

About this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...

Open Happening

Amaranth-Dragon Southeast Asia espionage campaign

Campaign
First: 04.02.2026 16:09 Last: 04.02.2026 16:09 Sources 1

About this happening: The **Amaranth-Dragon** espionage campaign targeted **government and law enforcement agencies** across **Southeast Asia** throughout **2025**, indicating a sustained effort to est...

Open Happening

Timeline

  1. 30.12.2025 02:08 2 articles · 4mo ago

    Kaspersky discloses Mustang Panda ToneShell rootkit delivery

    Initial Disclosure

    Kaspersky disclosed a new ToneShell backdoor sample attributed with high confidence to Mustang Panda, also known as HoneyMyte or Bronze President, and said the malware was being delivered through the kernel-mode loader ProjectConfiguration.sys in attacks against government organizations in Myanmar, Thailand, and other Asian countries. The analysis described stolen-or-leaked signing material issued to Guangzhou Kingteller Technology Co., Ltd., fake TLS headers, a 4-byte host ID scheme, file-system and registry interception, and interference with Microsoft Defender through WdFilter.

    Show sources
    Open in new tab