Find notable cyber news and cases, enriched with sources, timelines, and signals.

LOTUSLITE evolved backdoor activity in India banking-sector targeting

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

An evolved LOTUSLITE backdoor is now being deployed with remote shell, file operations, session management, and data exfiltration capabilities, extending an espionage-focused operation into India's banking sector. The malware uses a dynamic DNS command-and-control server over HTTPS, showing active operator maintenance and continued control over infected hosts. Earlier use of the same family against U.S. government and policy targets, plus newer artifacts tied to South Korean policy and diplomatic circles, indicates a widening targeting set.

Related Happenings

FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan

Malware Activity
H score28 First: 14.05.2026 18:00 Last: 14.05.2026 18:00 Sources 1

About this happening: An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...

LofyGang Minecraft LofyStealer campaign

Campaign
H score38 First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles

Campaign
H score32 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

How related: "What stands out is the broadening of the group's targeting, from U.S. government entities with geopolitical lures, to India's banking sector through implants embedded with HDFC Bank references and pop-ups masquerading as legitimate banking software, and now to South Korean and U.S. policy circles through the impersonation of a prominent figure in Korean peninsula diplomacy, delivered via spoofed Gmail accounts and Google Drive staging."

About this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

APT28 SOHO router DNS hijacking and credential theft campaign

Campaign
H score41 First: 07.04.2026 18:30 Last: 07.04.2026 18:30 Sources 1

About this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...

Latest development: 08.04.2026 13:03

On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.

Timeline

  1. 22.04.2026 10:58 2 articles · 2mo ago

    Acronis identifies evolved LOTUSLITE variant

    Technical Analysis Update

    Acronis researchers identified an evolved LOTUSLITE backdoor linked to Mustang Panda that uses a CHM lure, DLL side-loading, and an updated DLL named dnx.onecore.dll to retrieve JavaScript from cosmosmusic[.]com, load commands from editor.gleeze[.]com over HTTPS, and support remote shell access, file operations, session management, and exfiltration. The activity pivots toward India's banking sector through HDFC Bank-themed implants and pop-ups, while also showing similar artifacts aimed at South Korean policy and diplomatic circles and earlier LOTUSLITE use against U.S. government and policy entities.

    Show sources