Find notable cyber news and cases, enriched with sources, timelines, and signals.

Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles

Campaign
First reported
Last updated
Happening score
H score 32
2 unique sources, 2 articles

Summary

Hide ▲

Mustang Panda launched a newly identified spear-phishing campaign that is aimed largely at financial organizations in India and also reaches US-Korea public policy circles. The operation matters because it expands the actor’s espionage targeting beyond its usual geopolitical focus into banking and policy-linked cohorts. The delivery chain used malicious files, DLL sideloading, and Windows Registry persistence to install LotusLite.

Related Happenings

UK government FCA Bank of England and **CMORG** Issued a statement urging firms to actively manage frontier AI cyber risks and strengthen defenses for **May 15** and ongoing

Public Sector Action
H score20 First: 18.05.2026 12:00 Last: 18.05.2026 12:00 Sources 1

About this happening: The **UK government**, **FCA**, and **Bank of England** issued a **May 15** statement telling **UK financial services firms** to actively manage **frontier AI** cyber risks, becau...

Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign

Campaign
H score40 First: 14.05.2026 18:00 Last: 14.05.2026 18:00 Sources 1

About this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...

US Scam Center Strike Force indictments and domain seizures against scam centers

Law Enforcement
H score73 First: 24.04.2026 19:48 Last: 24.04.2026 19:48 Sources 1

About this happening: US authorities **indicted** two people and **seized** scam infrastructure in a **financial-fraud** case targeting Southeast Asian scam centers, disrupting operations used to scam...

LOTUSLITE evolved backdoor activity in India banking-sector targeting

Malware Activity
H score23 First: 22.04.2026 10:58 Last: 22.04.2026 10:58 Sources 1

How related: "The latest activity flagged by Acronis involves deploying an evolved version of LOTUSLITE that demonstrates "incremental improvements" over its predecessor, indicating that the malware is being actively maintained and refined by its operators."

About this happening: An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

How related: victims were rewarded with a variant of LotusLite, a backdoor built and maintained by this particular threat cluster within Mustang Panda, which it uses to establish shells, access files, and perform other remote operations for espionage.

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

Timeline

  1. 21.04.2026 15:00 2 articles · 2mo ago

    Acronis attributes Mustang Panda campaign to Indian banks and US-Korea policy circles

    Initial Disclosure

    Acronis researchers attributed a newly identified Mustang Panda campaign to China-linked espionage activity aimed largely at financial organizations in India and partly at American and Korean public policy circles. The lure chain used spear-phishing, malicious files, DLL sideloading, Windows Registry persistence, and a LotusLite backdoor variant that was lightly modified and disguised as "HDFC Bank" software.

    Show sources