Mustang Panda Targets India and South Korea with Enhanced LOTUSLITE Backdoor

A group of hackers linked to China, identified as Mustang Panda, has intensified its surveillance operations to target the financial sector in India and political entities in South Korea. Recent discoveries by the Acronis Threat Research Unit reveal that this follows their earlier campaign in 2026, which involved deceptive tactics related to Venezuela aimed at infiltrating U.S. government systems.

Focus on HDFC Bank and Political Experts

This latest campaign appears to have commenced in March 2026. In India, the group utilized a file called Request for Support.chm to deceive employees within the banking industry. The file generated a pop-up that mentioned HDFC Bank Limited, creating an air of authenticity. When opened, it initiated the download of a malicious JavaScript file tagged as music.js from the domain cosmosmusiccom.

According to an investigation shared by Acronis, Mustang Panda did not limit itself to employing support ticket schemes. They created convincing pop-up windows mimicking actual HDFC Bank software. While bank employees were misled into believing they were interacting with a legitimate banking application, they were unwittingly allowing a new variant of the LOTUSLITE backdoor—referred to as LOTUSLITE v1.1—access to their systems.

Comparison of LOTUSLITE versions (Source: Acronis)

In a different aspect of this operation, the hackers masqueraded as Victor Cha, a former Director for Asian Affairs at the U.S. National Security Council. They created a fraudulent Gmail account bearing Mr. Cha’s likeness and sent Google Drive links containing folders labeled March 30. These folders housed misleading invitation letters designed to compromise the computers of policymakers.

Attack Chain (Source: Acronis)

Familiar Techniques, New Strategies

The hackers employed a technique known as DLL sideloading in their operations. By positioning a malicious file adjacent to a trusted, signed Microsoft file, such as Microsoft_DNX.exe, they exploited the computer’s inherent trust in the Microsoft label, allowing their infecting file to execute seamlessly.

DLL sideloading into a signed executable (Source: Acronis)

Researchers have observed that this group is striving for greater concealment in their tactics. They modified their internal code markers, commonly known as “magic values,” shifting from 0x8899AABB to 0xB2EBCFDF, and replaced a command flag initially called –DATA with a new designation: –ZoneMAX.

It was also noted that Mustang Panda utilized the service Gleeze for communication with their server located at editorgleezecom. This infrastructure is consistent with those employed in past operations, linking this activity back to the Mustang Panda group.

Despite their attempts to innovate, the group left remnants of older codename references, such as KugouMain and DataImporterMain, within their new files. Furthermore, they included a message in the code referring to a security researcher tracking their movements.

The continued evolution of their impersonation tactics and use of trusted software for social engineering emphasizes the critical need for vigilance against unexpected emails or file attachments, even from seemingly legitimate sources. Cybersecurity professionals are advised to maintain a healthy skepticism to mitigate the risks posed by such advanced threats.

Source

Related Posts

Al-Qaida Websites Taken Offline Prior to ‘Salil al-Sawarim 3’ Release

December 20, 2012

U.S. intelligence confirms that Al-Qaida’s official websites were incapacitated two weeks ago due to a DDoS attack, marking one of the longest disruptions since the group’s online system launched in 2006. This follows a significant cyber assault in late 2008, from which their network has yet to recover. The outage occurred right before the anticipated release of “Salil al-Sawarim 3,” a propaganda video highlighting Iraqi soldiers and deceased insurgents. In recent months, online jihadists had shared images and footage related to the film’s production. The attack has delayed its release, as noted by a senior official from the U.S. State Department.

Stuxnet Strikes Again: Iran Reports New Cyber Attack

Dec 26, 2012

Iran has announced that it successfully thwarted a new cyber attack targeting its industrial facilities in a southern province. In recent years, various Iranian industrial, nuclear, and governmental entities have faced an increase in cyber assaults, widely attributed to the US and Israel. The Stuxnet worm is believed to have targeted a power plant and other industries, with reports indicating an attack on the Ministry of Culture’s headquarters, originating from Dallas and transmitted through switches in Malaysia and Vietnam. According to Iranian civil defense chief Ali Akbar Akhavan, the threat was effectively contained thanks to prompt actions and cooperation from skilled cybersecurity experts. “We managed to prevent its spread through timely measures,” Akhavan stated. The notorious worm is known to propagate via USB drives and other pathways.

Israel Launches Cyber Iron Dome Initiative

Jan 02, 2013

Israel’s Prime Minister has officially unveiled a national program aimed at training teenagers in cyberwarfare skills. The initiative, named “Magshimim Le’umit,” is designed to prepare young participants for future roles in the military and intelligence sectors. Prime Minister Binyamin Netanyahu highlighted the increasing cyber threats facing the nation from Iran and other adversaries, emphasizing the need for robust defenses in the digital landscape.

This new program will enroll exceptional students aged 16 to 18, offering a comprehensive three-year curriculum focused on intercepting cyber attacks. With cybersecurity recognized as a national priority, Israel is allocating significant resources to safeguard both military and civilian computer networks. Netanyahu also announced plans to establish a “digital Iron Dome” to protect critical infrastructure from cyber threats similar to the heavy attacks experienced last November from the hacktivist group Anonymous.