Find notable cyber news and cases, enriched with sources, timelines, and signals.

Mustang Panda Venezuela-themed spear-phishing campaign targeting U.S. policy entities

Campaign
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

A Mustang Panda campaign targeted U.S. government and policy entities with Venezuela-themed spear phishing, using a ZIP archive to deliver the LOTUSLITE backdoor. The operation matters because the payload supports remote tasking, data exfiltration, and persistent access through Windows Registry changes. The targeting and delivery chain suggest an active intrusion effort built around relevant geopolitical lures rather than a one-off lure. Successful compromise was not confirmed.

Related Happenings

Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign

Campaign
H score32 First: 30.03.2026 10:00 Last: 30.03.2026 10:00 Sources 1

About this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
H score20 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: **CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
H score21 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...

Tudou Guarantee shuts down Telegram fraud operations

Threat Actor Meta
H score19 First: 20.01.2026 12:00 Last: 20.01.2026 12:00 Sources 1

About this happening: **Tudou Guarantee** is closing its **Telegram** operations after **US and UK sanctions**, disrupting a major fraud marketplace tied to the **Southeast Asia scam economy**. The shi...

LOTUSLITE backdoor delivered via DLL side-loading and C2 beaconing

Malware Activity
H score22 First: 16.01.2026 12:27 Last: 16.01.2026 12:27 Sources 1

How related: The backdoor ("kugou.dll") employed in the attack, LOTUSLITE, is a bespoke C++ implant that's designed to communicate with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs to enable beaconing activity, remote tasking using "cmd.exe," and data exfiltration.

About this happening: The **LOTUSLITE** backdoor was delivered as a malicious DLL through **DLL side-loading**, giving the implant a foothold for **beaconing**, **remote tasking**, and **data exfiltrat...

Timeline

  1. 16.01.2026 12:27 2 articles · 5mo ago

    Mustang Panda campaign delivers LOTUSLITE via Venezuela lure

    Initial Disclosure

    Security researchers disclosed a Mustang Panda campaign that targeted U.S. government and policy entities with Venezuela-themed spear phishing, including the ZIP archive "US now deciding what's next for Venezuela.zip" and a malicious DLL launched through DLL side-loading to load LOTUSLITE. The bespoke C++ backdoor "kugou.dll" uses Windows WinHTTP APIs to beacon to a hard-coded C2 server, supports remote tasking through cmd.exe, file operations, and data exfiltration, and can establish Windows Registry-based persistence. Attribution was made with moderate confidence to Mustang Panda, and successful compromise of any target was not confirmed.

    Show sources