Mustang Panda Venezuela-themed spear-phishing campaign targeting U.S. policy entities
Campaign
Summary
Hide ▲
Show ▼
A Mustang Panda campaign targeted U.S. government and policy entities with Venezuela-themed spear phishing, using a ZIP archive to deliver the LOTUSLITE backdoor. The operation matters because the payload supports remote tasking, data exfiltration, and persistent access through Windows Registry changes. The targeting and delivery chain suggest an active intrusion effort built around relevant geopolitical lures rather than a one-off lure. Successful compromise was not confirmed.
Related Happenings
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
Campaign
First: 30.03.2026 10:00
Last: 30.03.2026 10:00
Sources 1
About this happening:
Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
CampaignAbout this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation Wave
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
**CVE-2025-8088** in **WinRAR** remains part of an **ongoing exploitation wave**, with **multiple threat groups** using the flaw for **initial access** and payload delivery. The a...
WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation WaveAbout this happening: **CVE-2025-8088** in **WinRAR** remains part of an **ongoing exploitation wave**, with **multiple threat groups** using the flaw for **initial access** and payload delivery. The a...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
Vulnerability
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
VulnerabilityAbout this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...
Tudou Guarantee shuts down Telegram fraud operations
Threat Actor Meta
First: 20.01.2026 12:00
Last: 20.01.2026 12:00
Sources 1
About this happening:
**Tudou Guarantee** is closing its **Telegram** operations after **US and UK sanctions**, disrupting a major fraud marketplace tied to the **Southeast Asia scam economy**. The shi...
Tudou Guarantee shuts down Telegram fraud operations
Threat Actor MetaAbout this happening: **Tudou Guarantee** is closing its **Telegram** operations after **US and UK sanctions**, disrupting a major fraud marketplace tied to the **Southeast Asia scam economy**. The shi...
LOTUSLITE backdoor delivered via DLL side-loading and C2 beaconing
Malware Activity
First: 16.01.2026 12:27
Last: 16.01.2026 12:27
Sources 1
How related:
The backdoor ("kugou.dll") employed in the attack, LOTUSLITE, is a bespoke C++ implant that's designed to communicate with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs to enable beaconing activity, remote tasking using "cmd.exe," and data exfiltration.
About this happening:
The **LOTUSLITE** backdoor was delivered as a malicious DLL through **DLL side-loading**, giving the implant a foothold for **beaconing**, **remote tasking**, and **data exfiltrat...
LOTUSLITE backdoor delivered via DLL side-loading and C2 beaconing
Malware ActivityHow related: The backdoor ("kugou.dll") employed in the attack, LOTUSLITE, is a bespoke C++ implant that's designed to communicate with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs to enable beaconing activity, remote tasking using "cmd.exe," and data exfiltration.
About this happening: The **LOTUSLITE** backdoor was delivered as a malicious DLL through **DLL side-loading**, giving the implant a foothold for **beaconing**, **remote tasking**, and **data exfiltrat...
Timeline
-
16.01.2026 12:27 2 articles · 4mo ago
Mustang Panda campaign delivers LOTUSLITE via Venezuela lure
Initial DisclosureSecurity researchers disclosed a Mustang Panda campaign that targeted U.S. government and policy entities with Venezuela-themed spear phishing, including the ZIP archive "US now deciding what's next for Venezuela.zip" and a malicious DLL launched through DLL side-loading to load LOTUSLITE. The bespoke C++ backdoor "kugou.dll" uses Windows WinHTTP APIs to beacon to a hard-coded C2 server, supports remote tasking through cmd.exe, file operations, and data exfiltration, and can establish Windows Registry-based persistence. Attribution was made with moderate confidence to Mustang Panda, and successful compromise of any target was not confirmed.
Show sources
- LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing — thehackernews.com — 16.01.2026 12:27
- LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing — thehackernews.com — 16.01.2026 12:27