Mustang Panda Venezuela-themed spear-phishing campaign targeting U.S. policy entities
Campaign
Summary
Hide ▲
Show ▼
A Mustang Panda campaign targeted U.S. government and policy entities with Venezuela-themed spear phishing, using a ZIP archive to deliver the LOTUSLITE backdoor. The operation matters because the payload supports remote tasking, data exfiltration, and persistent access through Windows Registry changes. The targeting and delivery chain suggest an active intrusion effort built around relevant geopolitical lures rather than a one-off lure. Successful compromise was not confirmed.
Related Happenings
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
Campaign
H score32
First: 30.03.2026 10:00
Last: 30.03.2026 10:00
Sources 1
About this happening:
Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
CampaignAbout this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation Wave
H score20
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
**CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...
WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation WaveAbout this happening: **CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
Vulnerability
H score21
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
VulnerabilityAbout this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...
Tudou Guarantee shuts down Telegram fraud operations
Threat Actor Meta
H score19
First: 20.01.2026 12:00
Last: 20.01.2026 12:00
Sources 1
About this happening:
**Tudou Guarantee** is closing its **Telegram** operations after **US and UK sanctions**, disrupting a major fraud marketplace tied to the **Southeast Asia scam economy**. The shi...
Tudou Guarantee shuts down Telegram fraud operations
Threat Actor MetaAbout this happening: **Tudou Guarantee** is closing its **Telegram** operations after **US and UK sanctions**, disrupting a major fraud marketplace tied to the **Southeast Asia scam economy**. The shi...
LOTUSLITE backdoor delivered via DLL side-loading and C2 beaconing
Malware Activity
H score22
First: 16.01.2026 12:27
Last: 16.01.2026 12:27
Sources 1
How related:
The backdoor ("kugou.dll") employed in the attack, LOTUSLITE, is a bespoke C++ implant that's designed to communicate with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs to enable beaconing activity, remote tasking using "cmd.exe," and data exfiltration.
About this happening:
The **LOTUSLITE** backdoor was delivered as a malicious DLL through **DLL side-loading**, giving the implant a foothold for **beaconing**, **remote tasking**, and **data exfiltrat...
LOTUSLITE backdoor delivered via DLL side-loading and C2 beaconing
Malware ActivityHow related: The backdoor ("kugou.dll") employed in the attack, LOTUSLITE, is a bespoke C++ implant that's designed to communicate with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs to enable beaconing activity, remote tasking using "cmd.exe," and data exfiltration.
About this happening: The **LOTUSLITE** backdoor was delivered as a malicious DLL through **DLL side-loading**, giving the implant a foothold for **beaconing**, **remote tasking**, and **data exfiltrat...
Timeline
-
16.01.2026 12:27 2 articles · 5mo ago
Mustang Panda campaign delivers LOTUSLITE via Venezuela lure
Initial DisclosureSecurity researchers disclosed a Mustang Panda campaign that targeted U.S. government and policy entities with Venezuela-themed spear phishing, including the ZIP archive "US now deciding what's next for Venezuela.zip" and a malicious DLL launched through DLL side-loading to load LOTUSLITE. The bespoke C++ backdoor "kugou.dll" uses Windows WinHTTP APIs to beacon to a hard-coded C2 server, supports remote tasking through cmd.exe, file operations, and data exfiltration, and can establish Windows Registry-based persistence. Attribution was made with moderate confidence to Mustang Panda, and successful compromise of any target was not confirmed.
Show sources
- LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing — thehackernews.com — 16.01.2026 12:27
- LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing — thehackernews.com — 16.01.2026 12:27