Find notable cyber news and cases, enriched with sources, timelines, and signals.

Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

A Mustang Panda espionage campaign used CDN impersonation and DLL sideloading to target Asia-Pacific and Japan networks, extending from late September 2025 through April 2026 and increasing the risk of sustained espionage access. The activity matters because it combined trusted-process execution with persistent payload delivery and finance-sector targeting. The operation also used rotating infrastructure, which can make simple indicator-based detection less durable.

Related Happenings

FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan

Malware Activity
H score28 First: 14.05.2026 18:00 Last: 14.05.2026 18:00 Sources 1

How related: An updated variant of the FDMTP backdoor has been observed in a months-long espionage campaign aimed at networks in the Asia-Pacific and Japan, with researchers linking the activity to the China-aligned group Mustang Panda.

About this happening: An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...

Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles

Campaign
H score32 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign

Campaign
H score32 First: 30.03.2026 10:00 Last: 30.03.2026 10:00 Sources 1

About this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...

Mustang Panda PlugX DOPLUGS deployment chain for persistent access

Malware Activity
H score26 First: 04.02.2026 16:09 Last: 04.02.2026 16:09 Sources 1

About this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...

Timeline

  1. 14.05.2026 18:00 2 articles · 1mo ago

    Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign

    Initial Disclosure

    Initial access began with hosts reaching attacker infrastructure that **impersonated well-known CDNs** in **late September 2025**. The first phase then moved into **legitimate-binary retrieval** followed by **malicious DLL sideloading**.

    Show sources