Find notable cyber news and cases, enriched with sources, timelines, and signals.

LotusLite backdoor delivered via DLL sideloading

Malware Activity
First reported
Last updated
Happening score
H score 22
2 unique sources, 2 articles

Summary

Hide ▲

The Mustang Panda malware activity now includes June 12–22, 2026 compromises against Indian government and hydropower targets, where the group abused Zoho WorkDrive as a command-and-control and exfiltration channel. The activity used SHARDLOADER, MINIRECON, and ZOHOMURK, with delivery via spear-phishing ZIP archives and DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver. Acronis also found active compromises inside Indian government networks, worked with CERT-In on cleanup, and published hunting indicators including Run keys, SolidPDFPcl2Bmp, and couldinstallup[.]com.

Related Happenings

FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan

Malware Activity
H score28 First: 14.05.2026 18:00 Last: 14.05.2026 18:00 Sources 1

About this happening: An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...

Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign

Campaign
H score40 First: 14.05.2026 18:00 Last: 14.05.2026 18:00 Sources 1

About this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...

LOTUSLITE evolved backdoor activity in India banking-sector targeting

Malware Activity
H score23 First: 22.04.2026 10:58 Last: 22.04.2026 10:58 Sources 1

About this happening: An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...

Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles

Campaign
H score32 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

How related: Square that with its most newly discovered campaign, which employs no interesting TTPs, and though partly focused against American and Korean public policy circles, is aimed largely at financial organizations in India.

About this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...

Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign

Campaign
H score32 First: 30.03.2026 10:00 Last: 30.03.2026 10:00 Sources 1

About this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...

Timeline

  1. 29.06.2026 18:03 1 articles · 10d ago

    Mustang Panda expands Zoho WorkDrive espionage against Indian government and hydropower targets

    Campaign Scope Update

    Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

    Show sources
  2. 21.04.2026 15:00 2 articles · 2mo ago

    Mustang Panda campaign targets Indian banks and US-Korea policy circles

    Initial Disclosure

    A new Mustang Panda campaign targeted India's banking sector and, in part, US-Korea policy circles. The lure chain used spear-phishing, a malicious file, DLL sideloading, and Windows Registry persistence to deliver a LotusLite backdoor variant with minor edits to evade detection. The payload was disguised as HDFC Bank software, and the same campaign also appears to have reached Korean and American targets.

    Show sources