Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
Summary
Hide ▲
Show ▼
Mustang Panda launched a newly identified spear-phishing campaign that is aimed largely at financial organizations in India and also reaches US-Korea public policy circles. The operation matters because it expands the actor’s espionage targeting beyond its usual geopolitical focus into banking and policy-linked cohorts. The delivery chain used malicious files, DLL sideloading, and Windows Registry persistence to install LotusLite.
Related Happenings
UK government FCA Bank of England and **CMORG** Issued a statement urging firms to actively manage frontier AI cyber risks and strengthen defenses for **May 15** and ongoing
Public Sector Action
H score20
First: 18.05.2026 12:00
Last: 18.05.2026 12:00
Sources 1
About this happening:
The **UK government**, **FCA**, and **Bank of England** issued a **May 15** statement telling **UK financial services firms** to actively manage **frontier AI** cyber risks, becau...
UK government FCA Bank of England and **CMORG** Issued a statement urging firms to actively manage frontier AI cyber risks and strengthen defenses for **May 15** and ongoing
Public Sector ActionAbout this happening: The **UK government**, **FCA**, and **Bank of England** issued a **May 15** statement telling **UK financial services firms** to actively manage **frontier AI** cyber risks, becau...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
Campaign
H score40
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
About this happening:
A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
CampaignAbout this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
US Scam Center Strike Force indictments and domain seizures against scam centers
Law Enforcement
H score73
First: 24.04.2026 19:48
Last: 24.04.2026 19:48
Sources 1
About this happening:
US authorities **indicted** two people and **seized** scam infrastructure in a **financial-fraud** case targeting Southeast Asian scam centers, disrupting operations used to scam...
US Scam Center Strike Force indictments and domain seizures against scam centers
Law EnforcementAbout this happening: US authorities **indicted** two people and **seized** scam infrastructure in a **financial-fraud** case targeting Southeast Asian scam centers, disrupting operations used to scam...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware Activity
H score23
First: 22.04.2026 10:58
Last: 22.04.2026 10:58
Sources 1
How related:
"The latest activity flagged by Acronis involves deploying an evolved version of LOTUSLITE that demonstrates "incremental improvements" over its predecessor, indicating that the malware is being actively maintained and refined by its operators."
About this happening:
An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware ActivityHow related: "The latest activity flagged by Acronis involves deploying an evolved version of LOTUSLITE that demonstrates "incremental improvements" over its predecessor, indicating that the malware is being actively maintained and refined by its operators."
About this happening: An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
LotusLite backdoor delivered via DLL sideloading
Malware Activity
H score22
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
How related:
victims were rewarded with a variant of LotusLite, a backdoor built and maintained by this particular threat cluster within Mustang Panda, which it uses to establish shells, access files, and perform other remote operations for espionage.
About this happening:
The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityHow related: victims were rewarded with a variant of LotusLite, a backdoor built and maintained by this particular threat cluster within Mustang Panda, which it uses to establish shells, access files, and perform other remote operations for espionage.
About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
Latest development: 29.06.2026 18:03
Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.
Timeline
-
21.04.2026 15:00 2 articles · 2mo ago
Acronis attributes Mustang Panda campaign to Indian banks and US-Korea policy circles
Initial DisclosureAcronis researchers attributed a newly identified Mustang Panda campaign to China-linked espionage activity aimed largely at financial organizations in India and partly at American and Korean public policy circles. The lure chain used spear-phishing, malicious files, DLL sideloading, Windows Registry persistence, and a LotusLite backdoor variant that was lightly modified and disguised as "HDFC Bank" software.
Show sources
- Chinese APT Targets Indian Banks, Korean Policy Circles — www.darkreading.com — 21.04.2026 15:00
- Mustang Panda’s New LOTUSLITE Variant Targets India Banks, South Korea Policy Circles — thehackernews.com — 22.04.2026 10:58