Find notable cyber news and cases, enriched with sources, timelines, and signals.

Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

Three China-aligned clusters targeted a government organization in Southeast Asia, signaling a coordinated campaign built for long-term access. The activity spans Mustang Panda, CL-STA-1048, and CL-STA-1049 across June-August 2025, March-September 2025, and April-August 2025. It used USB-based malware, a rogue DLL called Claimloader, and DLL side-loading to deploy multiple backdoors and stealers. The persistent-access focus raises the risk of continued compromise in sensitive government networks.

Related Happenings

Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign

Campaign
H score40 First: 14.05.2026 18:00 Last: 14.05.2026 18:00 Sources 1

About this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...

UAT-8302 government-targeting campaign across South America and southeastern Europe

Campaign
H score28 First: 05.05.2026 17:19 Last: 05.05.2026 17:19 Sources 1

About this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...

Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles

Campaign
H score32 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

Mustang Panda PlugX DOPLUGS deployment chain for persistent access

Malware Activity
H score26 First: 04.02.2026 16:09 Last: 04.02.2026 16:09 Sources 1

About this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...

Timeline

  1. 30.03.2026 10:00 2 articles · 3mo ago

    Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign

    Initial Disclosure

    The earliest tracked phase came from **Mustang Panda** between **June and August 2025**, when **HIUPAN** was used to drop **PUBLOAD** via the rogue DLL **Claimloader**. That phase established the campaign's focus on covert access through removable media and malicious DLL execution.

    Show sources