Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware Activity
Summary
Hide ▲
Show ▼
Mustang Panda (TA416) used malicious ZIP/LNK chains to deliver its custom PlugX/DOPLUGS payload and maintain persistent access on compromised hosts. The activity targeted officials involved in diplomacy, elections, and international coordination between December 2025 and mid-January 2026, and the delivery chain used PowerShell, a TAR archive, and DLL sideloading to load the malware.
Related Happenings
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
Campaign
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
About this happening:
A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
CampaignAbout this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
Campaign
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
CampaignAbout this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
Incident
First: 06.05.2026 16:00
Last: 06.05.2026 16:00
Sources 1
About this happening:
The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
IncidentAbout this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
First: 06.05.2026 12:48
Last: 06.05.2026 12:48
Sources 1
About this happening:
The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware ActivityAbout this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
Timeline
-
04.02.2026 16:09 3 articles · 3mo ago
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Initial DisclosureMalicious **ZIP** files with a single **LNK** shortcut triggered **PowerShell** extraction of a **TAR** archive, which then used **DLL search-order hijacking** and sideloading to load **PlugX/DOPLUGS**.
Show sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
- Chinese Hackers Target European Governments in Espionage Campaigns — www.infosecurity-magazine.com — 01.04.2026 15:05