🇨🇳 CN2 malware families

UNK_SteadySplit

Also known asunk_steadysplit

UNK_SteadySplit is a temporary cluster designation used by Proofpoint for a China-aligned espionage actor associated with the broader activity commonly referred to as Mustang Panda. Proofpoint states that Mustang Panda is tracked under two primary clusters: TA416 and UNK_SteadySplit. Known aliases for UNK_SteadySplit include CerenaKeeper and Red Ishtar. Proofpoint reports that UNK_SteadySplit has been active since at least 2022. Historical technical overlaps between UNK_SteadySplit and TA416 have been reported, including Trend Micro’s observation that a UNK_SteadySplit TONESHELL command-and-control IP address was embedded in a filepath within two LNK files used in TA416 campaigns. Proofpoint assessed that these overlaps suggest some organizational, personnel, or hierarchical link between TA416 and UNK_SteadySplit, but stated that the exact relationship remains unclear and that similar overlaps were not observed in recent campaigns. The provided content does not attribute specific targeting, tactics, or procedures directly to UNK_SteadySplit beyond its association with the broader Mustang Panda ecosystem.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

TONESHELLPrior research by Trend Micro had identified technical overlaps between TA416 and UNK_SteadySplit, most notably through a UNK_SteadySplit TONESHELL command-and-control (C2) IP address embedded in a filepath within two LNK files used in TA416 campaigns.2May 26, 2026

PUBLOADUNK_SteadySplit is a user of the custom TONESHELL and PUBLOAD malware families, alongside multiple other first-stage malware families delivered in phishing campaigns.1Apr 1, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

infosecurity magazineNews

Apr 1, 2026

Chinese Hackers Target European Governments in Espionage Campaigns - Infosecurity Magazine

A second Proofpoint-tracked cluster associated with Mustang Panda activity; prior research identified technical overlaps with TA416, suggesting some organizational, personnel, or hierarchical link, though the exact relationship remains unclear.

proofpoint threat insight blogNews

Mar 26, 2026

I’d come running back to EU again: TA416 resumes European government espionage campaigns | Proofpoint US

A distinct cluster associated in public reporting with the broader Mustang Panda umbrella, primarily targeting government, hospitality, technology, insurance, and energy organizations in South and Southeast Asia, especially Myanmar and Thailand, using phishing-delivered malware including TONESHELL and PUBLOAD.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.