Mustang Panda multi-country espionage campaign against government and telecom targets
Campaign
Summary
Hide ▲
Show ▼
Mustang Panda is running new 2026 espionage activity against the Indian government and hydropower targets, using Zoho WorkDrive as a command-and-control and exfiltration channel. The campaigns rely on spear-phishing ZIP archives, signed-binary DLL side-loading, and three newly described tools, SHARDLOADER, MINIRECON, and ZOHOMURK. Acronis observed active compromises inside Indian government networks and tied the operation to June 12 to June 22, 2026 beaconing. The activity also produced hunting indicators including Run keys, a scheduled task named SolidPDFPcl2Bmp, and the C2 domain couldinstallup[.]com.
Related Happenings
Amadey and StealC shared-infrastructure malware activity
Malware Activity
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
About this happening:
The **Amadey** loader and **StealC** infostealer are being linked through shared **C&C infrastructure**, making the pair easier to coordinate and disrupt. **Amadey** helps attacke...
Amadey and StealC shared-infrastructure malware activity
Malware ActivityAbout this happening: The **Amadey** loader and **StealC** infostealer are being linked through shared **C&C infrastructure**, making the pair easier to coordinate and disrupt. **Amadey** helps attacke...
Earth Lusca Operation FishMedley espionage campaign
Campaign
H score38
First: 16.06.2026 12:44
Last: 16.06.2026 12:44
Sources 1
About this happening:
A **multi-country espionage campaign** tied to **Earth Lusca / FishMonger** is now linked to **Operation FishMedley**, a **January–October 2022** effort that reached **seven organ...
Earth Lusca Operation FishMedley espionage campaign
CampaignAbout this happening: A **multi-country espionage campaign** tied to **Earth Lusca / FishMonger** is now linked to **Operation FishMedley**, a **January–October 2022** effort that reached **seven organ...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
H score38
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Timeline
-
28.01.2026 13:40 2 articles · 5mo ago
Mustang Panda multi-country espionage campaign against government and telecom targets
Initial DisclosureThe operation began as a multi-year espionage effort against **government** and **telecom** targets, with activity observed from **2021** onward. Early tradecraft centered on **signed binaries** and **DLL side-loading** to launch malicious modules and establish persistence.
Show sources
- Mustang Panda Deploys Updated COOLCLIENT Backdoor in Government Cyber Attacks — thehackernews.com — 28.01.2026 13:40
- Mustang Panda Deploys Updated COOLCLIENT Backdoor in Government Cyber Attacks — thehackernews.com — 28.01.2026 13:40
-
30.12.2025 10:35 2 articles · 6mo ago
Mustang Panda deploys kernel-mode TONESHELL loader
Campaign Scope UpdateKaspersky identified a Mustang Panda campaign that used a previously undocumented kernel-mode rootkit driver to deliver the TONESHELL backdoor against an unspecified entity in Asia, with related activity tied to government targets in Myanmar and Thailand. The driver, signed with an old, stolen, or leaked certificate, was used in 2025 operations that showed a shift toward kernel-mode injectors to deploy ToneShell and hide its activity.
Show sources
- Mustang Panda Uses Signed Kernel-Mode Rootkit to Load TONESHELL Backdoor — thehackernews.com — 30.12.2025 10:35
- Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks — thehackernews.com — 29.06.2026 18:03