Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
Campaign
Summary
Hide ▲
Show ▼
Three China-aligned clusters targeted a government organization in Southeast Asia, signaling a coordinated campaign built for long-term access. The activity spans Mustang Panda, CL-STA-1048, and CL-STA-1049 across June-August 2025, March-September 2025, and April-August 2025. It used USB-based malware, a rogue DLL called Claimloader, and DLL side-loading to deploy multiple backdoors and stealers. The persistent-access focus raises the risk of continued compromise in sensitive government networks.
Related Happenings
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
Campaign
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
About this happening:
A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
CampaignAbout this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
UAT-8302 government-targeting campaign across South America and southeastern Europe
Campaign
First: 05.05.2026 17:19
Last: 05.05.2026 17:19
Sources 1
About this happening:
The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
UAT-8302 government-targeting campaign across South America and southeastern Europe
CampaignAbout this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
**Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
CampaignAbout this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware Activity
First: 04.02.2026 16:09
Last: 04.02.2026 16:09
Sources 1
About this happening:
**Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware ActivityAbout this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Amaranth-Dragon Southeast Asia espionage campaign
Campaign
First: 04.02.2026 16:09
Last: 04.02.2026 16:09
Sources 1
About this happening:
The **Amaranth-Dragon** espionage campaign targeted **government and law enforcement agencies** across **Southeast Asia** throughout **2025**, indicating a sustained effort to est...
Amaranth-Dragon Southeast Asia espionage campaign
CampaignAbout this happening: The **Amaranth-Dragon** espionage campaign targeted **government and law enforcement agencies** across **Southeast Asia** throughout **2025**, indicating a sustained effort to est...
Timeline
-
30.03.2026 10:00 2 articles · 1mo ago
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
Initial DisclosureThe earliest tracked phase came from **Mustang Panda** between **June and August 2025**, when **HIUPAN** was used to drop **PUBLOAD** via the rogue DLL **Claimloader**. That phase established the campaign's focus on covert access through removable media and malicious DLL execution.
Show sources
- Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign — thehackernews.com — 30.03.2026 10:00
- Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign — thehackernews.com — 30.03.2026 10:00