LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware Activity
Summary
Hide ▲
Show ▼
An evolved LOTUSLITE backdoor is now being deployed with remote shell, file operations, session management, and data exfiltration capabilities, extending an espionage-focused operation into India's banking sector. The malware uses a dynamic DNS command-and-control server over HTTPS, showing active operator maintenance and continued control over infected hosts. Earlier use of the same family against U.S. government and policy targets, plus newer artifacts tied to South Korean policy and diplomatic circles, indicates a widening targeting set.
Related Happenings
FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan
Malware Activity
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
About this happening:
An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...
FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan
Malware ActivityAbout this happening: An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...
LofyGang Minecraft LofyStealer campaign
Campaign
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
How related:
"What stands out is the broadening of the group's targeting, from U.S. government entities with geopolitical lures, to India's banking sector through implants embedded with HDFC Bank references and pop-ups masquerading as legitimate banking software, and now to South Korean and U.S. policy circles through the impersonation of a prominent figure in Korean peninsula diplomacy, delivered via spoofed Gmail accounts and Google Drive staging."
About this happening:
**Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
CampaignHow related: "What stands out is the broadening of the group's targeting, from U.S. government entities with geopolitical lures, to India's banking sector through implants embedded with HDFC Bank references and pop-ups masquerading as legitimate banking software, and now to South Korean and U.S. policy circles through the impersonation of a prominent figure in Korean peninsula diplomacy, delivered via spoofed Gmail accounts and Google Drive staging."
About this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
LotusLite backdoor delivered via DLL sideloading
Malware Activity
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
The **LotusLite** backdoor is being delivered through **malicious files** and **DLL sideloading**, creating a remote-access malware activity that supports **espionage**. The opera...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityAbout this happening: The **LotusLite** backdoor is being delivered through **malicious files** and **DLL sideloading**, creating a remote-access malware activity that supports **espionage**. The opera...
APT28 SOHO router DNS hijacking and credential theft campaign
Campaign
First: 07.04.2026 18:30
Last: 07.04.2026 18:30
Sources 1
About this happening:
**APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
APT28 SOHO router DNS hijacking and credential theft campaign
CampaignAbout this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
Latest development: 08.04.2026 13:03
On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.
Timeline
-
22.04.2026 10:58 2 articles · 1mo ago
Acronis identifies evolved LOTUSLITE variant
Technical Analysis UpdateAcronis researchers identified an evolved LOTUSLITE backdoor linked to Mustang Panda that uses a CHM lure, DLL side-loading, and an updated DLL named dnx.onecore.dll to retrieve JavaScript from cosmosmusic[.]com, load commands from editor.gleeze[.]com over HTTPS, and support remote shell access, file operations, session management, and exfiltration. The activity pivots toward India's banking sector through HDFC Bank-themed implants and pop-ups, while also showing similar artifacts aimed at South Korean policy and diplomatic circles and earlier LOTUSLITE use against U.S. government and policy entities.
Show sources
- Mustang Panda’s New LOTUSLITE Variant Targets India Banks, South Korea Policy Circles — thehackernews.com — 22.04.2026 10:58
- Mustang Panda’s New LOTUSLITE Variant Targets India Banks, South Korea Policy Circles — thehackernews.com — 22.04.2026 10:58