Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
Summary
Hide ▲
Show ▼
Mustang Panda launched a newly identified spear-phishing campaign that is aimed largely at financial organizations in India and also reaches US-Korea public policy circles. The operation matters because it expands the actor’s espionage targeting beyond its usual geopolitical focus into banking and policy-linked cohorts. The delivery chain used malicious files, DLL sideloading, and Windows Registry persistence to install LotusLite.
Related Happenings
UK government FCA Bank of England and **CMORG** Issued a statement urging firms to actively manage frontier AI cyber risks and strengthen defenses for **May 15** and ongoing
Public Sector Action
First: 18.05.2026 12:00
Last: 18.05.2026 12:00
Sources 1
About this happening:
The **UK government**, **FCA**, and **Bank of England** issued a **May 15** statement telling **UK financial services firms** to actively manage **frontier AI** cyber risks, becau...
UK government FCA Bank of England and **CMORG** Issued a statement urging firms to actively manage frontier AI cyber risks and strengthen defenses for **May 15** and ongoing
Public Sector ActionAbout this happening: The **UK government**, **FCA**, and **Bank of England** issued a **May 15** statement telling **UK financial services firms** to actively manage **frontier AI** cyber risks, becau...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
Campaign
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
About this happening:
A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
CampaignAbout this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
US Scam Center Strike Force indictments and domain seizures against scam centers
Law Enforcement
First: 24.04.2026 19:48
Last: 24.04.2026 19:48
Sources 1
About this happening:
US authorities **indicted** two people and **seized** scam infrastructure in a **financial-fraud** case targeting Southeast Asian scam centers, disrupting operations used to scam...
US Scam Center Strike Force indictments and domain seizures against scam centers
Law EnforcementAbout this happening: US authorities **indicted** two people and **seized** scam infrastructure in a **financial-fraud** case targeting Southeast Asian scam centers, disrupting operations used to scam...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware Activity
First: 22.04.2026 10:58
Last: 22.04.2026 10:58
Sources 1
How related:
"The latest activity flagged by Acronis involves deploying an evolved version of LOTUSLITE that demonstrates "incremental improvements" over its predecessor, indicating that the malware is being actively maintained and refined by its operators."
About this happening:
An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware ActivityHow related: "The latest activity flagged by Acronis involves deploying an evolved version of LOTUSLITE that demonstrates "incremental improvements" over its predecessor, indicating that the malware is being actively maintained and refined by its operators."
About this happening: An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
LotusLite backdoor delivered via DLL sideloading
Malware Activity
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
How related:
victims were rewarded with a variant of LotusLite, a backdoor built and maintained by this particular threat cluster within Mustang Panda, which it uses to establish shells, access files, and perform other remote operations for espionage.
About this happening:
The **LotusLite** backdoor is being delivered through **malicious files** and **DLL sideloading**, creating a remote-access malware activity that supports **espionage**. The opera...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityHow related: victims were rewarded with a variant of LotusLite, a backdoor built and maintained by this particular threat cluster within Mustang Panda, which it uses to establish shells, access files, and perform other remote operations for espionage.
About this happening: The **LotusLite** backdoor is being delivered through **malicious files** and **DLL sideloading**, creating a remote-access malware activity that supports **espionage**. The opera...
Timeline
-
21.04.2026 15:00 2 articles · 1mo ago
Acronis attributes Mustang Panda campaign to Indian banks and US-Korea policy circles
Initial DisclosureAcronis researchers attributed a newly identified Mustang Panda campaign to China-linked espionage activity aimed largely at financial organizations in India and partly at American and Korean public policy circles. The lure chain used spear-phishing, malicious files, DLL sideloading, Windows Registry persistence, and a LotusLite backdoor variant that was lightly modified and disguised as "HDFC Bank" software.
Show sources
- Chinese APT Targets Indian Banks, Korean Policy Circles — www.darkreading.com — 21.04.2026 15:00
- Mustang Panda’s New LOTUSLITE Variant Targets India Banks, South Korea Policy Circles — thehackernews.com — 22.04.2026 10:58