Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
Campaign
Summary
Hide ▲
Show ▼
A Mustang Panda espionage campaign used CDN impersonation and DLL sideloading to target Asia-Pacific and Japan networks, extending from late September 2025 through April 2026 and increasing the risk of sustained espionage access. The activity matters because it combined trusted-process execution with persistent payload delivery and finance-sector targeting. The operation also used rotating infrastructure, which can make simple indicator-based detection less durable.
Related Happenings
FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan
Malware Activity
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
How related:
An updated variant of the FDMTP backdoor has been observed in a months-long espionage campaign aimed at networks in the Asia-Pacific and Japan, with researchers linking the activity to the China-aligned group Mustang Panda.
About this happening:
An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...
FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan
Malware ActivityHow related: An updated variant of the FDMTP backdoor has been observed in a months-long espionage campaign aimed at networks in the Asia-Pacific and Japan, with researchers linking the activity to the China-aligned group Mustang Panda.
About this happening: An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
**Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
CampaignAbout this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
LotusLite backdoor delivered via DLL sideloading
Malware Activity
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
The **LotusLite** backdoor is being delivered through **malicious files** and **DLL sideloading**, creating a remote-access malware activity that supports **espionage**. The opera...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityAbout this happening: The **LotusLite** backdoor is being delivered through **malicious files** and **DLL sideloading**, creating a remote-access malware activity that supports **espionage**. The opera...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
Campaign
First: 30.03.2026 10:00
Last: 30.03.2026 10:00
Sources 1
About this happening:
Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
CampaignAbout this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware Activity
First: 04.02.2026 16:09
Last: 04.02.2026 16:09
Sources 1
About this happening:
**Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware ActivityAbout this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Timeline
-
14.05.2026 18:00 2 articles · 13d ago
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
Initial DisclosureInitial access began with hosts reaching attacker infrastructure that **impersonated well-known CDNs** in **late September 2025**. The first phase then moved into **legitimate-binary retrieval** followed by **malicious DLL sideloading**.
Show sources
- Mustang Panda Linked to Updated FDMTP Backdoor in Asia-Pacific Espionage Campaign — www.infosecurity-magazine.com — 14.05.2026 18:00
- Mustang Panda Linked to Updated FDMTP Backdoor in Asia-Pacific Espionage Campaign — www.infosecurity-magazine.com — 14.05.2026 18:00