Find notable cyber news and cases, enriched with sources, timelines, and signals.

Mustang Panda multi-country espionage campaign against government and telecom targets

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 3 articles

Summary

Hide ▲

Mustang Panda is running new 2026 espionage activity against the Indian government and hydropower targets, using Zoho WorkDrive as a command-and-control and exfiltration channel. The campaigns rely on spear-phishing ZIP archives, signed-binary DLL side-loading, and three newly described tools, SHARDLOADER, MINIRECON, and ZOHOMURK. Acronis observed active compromises inside Indian government networks and tied the operation to June 12 to June 22, 2026 beaconing. The activity also produced hunting indicators including Run keys, a scheduled task named SolidPDFPcl2Bmp, and the C2 domain couldinstallup[.]com.

Related Happenings

Amadey and StealC shared-infrastructure malware activity

Malware Activity
H score66 First: 24.06.2026 18:02 Last: 24.06.2026 18:02 Sources 1

About this happening: The **Amadey** loader and **StealC** infostealer are being linked through shared **C&C infrastructure**, making the pair easier to coordinate and disrupt. **Amadey** helps attacke...

Earth Lusca Operation FishMedley espionage campaign

Campaign
H score38 First: 16.06.2026 12:44 Last: 16.06.2026 12:44 Sources 1

About this happening: A **multi-country espionage campaign** tied to **Earth Lusca / FishMonger** is now linked to **Operation FishMedley**, a **January–October 2022** effort that reached **seven organ...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...

GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations

Campaign
H score39 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
H score38 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

Timeline

  1. 28.01.2026 13:40 2 articles · 5mo ago

    Mustang Panda multi-country espionage campaign against government and telecom targets

    Initial Disclosure

    The operation began as a multi-year espionage effort against **government** and **telecom** targets, with activity observed from **2021** onward. Early tradecraft centered on **signed binaries** and **DLL side-loading** to launch malicious modules and establish persistence.

    Show sources
  2. 30.12.2025 10:35 2 articles · 6mo ago

    Mustang Panda deploys kernel-mode TONESHELL loader

    Campaign Scope Update

    Kaspersky identified a Mustang Panda campaign that used a previously undocumented kernel-mode rootkit driver to deliver the TONESHELL backdoor against an unspecified entity in Asia, with related activity tied to government targets in Myanmar and Thailand. The driver, signed with an old, stolen, or leaked certificate, was used in 2025 operations that showed a shift toward kernel-mode injectors to deploy ToneShell and hide its activity.

    Show sources