LotusLite backdoor delivered via DLL sideloading
Malware Activity
Summary
Hide ▲
Show ▼
The Mustang Panda malware activity now includes June 12–22, 2026 compromises against Indian government and hydropower targets, where the group abused Zoho WorkDrive as a command-and-control and exfiltration channel. The activity used SHARDLOADER, MINIRECON, and ZOHOMURK, with delivery via spear-phishing ZIP archives and DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver. Acronis also found active compromises inside Indian government networks, worked with CERT-In on cleanup, and published hunting indicators including Run keys, SolidPDFPcl2Bmp, and couldinstallup[.]com.
Related Happenings
FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan
Malware Activity
H score28
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
About this happening:
An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...
FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan
Malware ActivityAbout this happening: An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
Campaign
H score40
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
About this happening:
A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
CampaignAbout this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware Activity
H score23
First: 22.04.2026 10:58
Last: 22.04.2026 10:58
Sources 1
About this happening:
An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware ActivityAbout this happening: An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
H score32
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
How related:
Square that with its most newly discovered campaign, which employs no interesting TTPs, and though partly focused against American and Korean public policy circles, is aimed largely at financial organizations in India.
About this happening:
**Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
CampaignHow related: Square that with its most newly discovered campaign, which employs no interesting TTPs, and though partly focused against American and Korean public policy circles, is aimed largely at financial organizations in India.
About this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
Campaign
H score32
First: 30.03.2026 10:00
Last: 30.03.2026 10:00
Sources 1
About this happening:
Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
CampaignAbout this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Timeline
-
29.06.2026 18:03 1 articles · 10d ago
Mustang Panda expands Zoho WorkDrive espionage against Indian government and hydropower targets
Campaign Scope UpdateAcronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.
Show sources
- Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks — thehackernews.com — 29.06.2026 18:03
-
21.04.2026 15:00 2 articles · 2mo ago
Mustang Panda campaign targets Indian banks and US-Korea policy circles
Initial DisclosureA new Mustang Panda campaign targeted India's banking sector and, in part, US-Korea policy circles. The lure chain used spear-phishing, a malicious file, DLL sideloading, and Windows Registry persistence to deliver a LotusLite backdoor variant with minor edits to evade detection. The payload was disguised as HDFC Bank software, and the same campaign also appears to have reached Korean and American targets.
Show sources
- Chinese APT Targets Indian Banks, Korean Policy Circles — www.darkreading.com — 21.04.2026 15:00
- Chinese APT Targets Indian Banks, Korean Policy Circles — www.darkreading.com — 21.04.2026 15:00