Find notable cyber news and cases, enriched with sources, timelines, and signals.

Mustang Panda PlugX DOPLUGS deployment chain for persistent access

Malware Activity
First reported
Last updated
Happening score
H score 26
2 unique sources, 2 articles

Summary

Hide ▲

Mustang Panda (TA416) used malicious ZIP/LNK chains to deliver its custom PlugX/DOPLUGS payload and maintain persistent access on compromised hosts. The activity targeted officials involved in diplomacy, elections, and international coordination between December 2025 and mid-January 2026, and the delivery chain used PowerShell, a TAR archive, and DLL sideloading to load the malware.

Related Happenings

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign

Campaign
H score40 First: 14.05.2026 18:00 Last: 14.05.2026 18:00 Sources 1

About this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...

FamousSparrow Azerbaijanian oil-and-gas targeting campaign

Campaign
H score32 First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...

Ministry of Justice and Legal Affairs of Oman hit by network compromise

Incident
H score37 First: 06.05.2026 16:00 Last: 06.05.2026 16:00 Sources 1

About this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...

Quasar Linux (QLNX) Linux RAT targeting developer credentials

Malware Activity
H score28 First: 06.05.2026 12:48 Last: 06.05.2026 12:48 Sources 1

About this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...

Timeline

  1. 04.02.2026 16:09 3 articles · 5mo ago

    Mustang Panda PlugX DOPLUGS deployment chain for persistent access

    Initial Disclosure

    Malicious **ZIP** files with a single **LNK** shortcut triggered **PowerShell** extraction of a **TAR** archive, which then used **DLL search-order hijacking** and sideloading to load **PlugX/DOPLUGS**.

    Show sources