Key Findings

• Mustang Panda, a China-linked hacking group, launched coordinated campaigns in March 2026 targeting India's financial sector and South Korean policy circles

• The group deployed an updated LOTUSLITE v1.1 backdoor with improved obfuscation techniques and modified command structures

• Indian banking workers were targeted via fake HDFC Bank support files, while South Korean diplomats received spear-phishing emails impersonating a former US National Security Council official

• Attackers used DLL sideloading with Microsoft-signed executables to evade detection and maintained infrastructure overlap with previous campaigns

• The shift from US government targets to banking and diplomatic sectors indicates the group is expanding its espionage reach

Background

Mustang Panda has been active in targeted espionage campaigns against government and financial institutions. The group previously conducted operations against US government entities using Venezuela-related lures earlier in 2026. The latest discovery by Acronis Threat Research Unit reveals a significant geographic and sectoral expansion of the group's targeting priorities, suggesting sustained funding and operational capability.

India Banking Sector Campaign

The attack against Indian financial institutions began in March 2026 with a file named Request for Support.chm distributed to banking workers. When opened, the file displayed a pop-up window referencing HDFC Bank Limited to appear legitimate. This triggered a malicious chain that downloaded a JavaScript file called music.js from cosmosmusiccom.

The hackers created convincing fake HDFC Bank software pop-ups that appeared to be legitimate banking applications. Behind these deceptive interfaces, LOTUSLITE v1.1 silently executed and began harvesting sensitive system information. The backdoor communicated with command-and-control servers over HTTPS, providing remote shell access and file operation capabilities.

South Korea Diplomatic Targeting

In a parallel operation, Mustang Panda impersonated Victor Cha, a former Director for Asian Affairs at the US National Security Council. The attackers created a fake Gmail account using Cha's real photograph and sent Google Drive links containing folders named March 30. Inside were fabricated invitation letters designed to compromise the computers of South Korean policy-makers.

The targeting specifically focused on individuals involved in Korean peninsula affairs, North Korea policy discussions, and Indo-Pacific security dialogues. This represented a deliberate shift from the group's previous focus on US government entities toward regional diplomatic circles.

Technical Evolution of LOTUSLITE

The updated LOTUSLITE v1.1 demonstrates incremental but meaningful improvements over previous versions. Researchers identified several changes indicating active maintenance and refinement of the malware. The internal code marker, known as the magic value, was rotated from 0x8899AABB to 0xB2EBCFDF. Command flags were also renamed, with the –DATA flag replaced by –ZoneMAX.

The backdoor maintains robust espionage capabilities including remote shell access, file operations, and session management. Communication occurs over HTTPS with command-and-control infrastructure hosted at editorgleezecom through a service called Gleeze.

DLL Sideloading Technique

Mustang Panda relied on a tried-and-tested evasion method called DLL sideloading. The attackers placed malicious DLL files next to legitimate Microsoft-signed executables like Microsoft_DNX.exe. Operating systems trust the Microsoft signature and automatically execute the accompanying malicious file without additional verification.

This technique proved effective because it exploits the legitimate reputation of Microsoft-signed binaries to bypass security controls that might otherwise flag the malicious payload.

Infrastructure and Attribution

The use of Gleeze infrastructure connecting to editorgleezecom directly links current activity to previous Mustang Panda campaigns. Despite attempts to obscure their operations, researchers discovered remnants of old code markers like KugouMain and DataImporterMain embedded in the new files. The group even left behind references to security researchers who have been tracking them.

These operational mistakes, combined with infrastructure overlap and targeting patterns, provide medium-to-high confidence attribution to Mustang Panda.

Implications and Recommendations

The campaign demonstrates that nation-state groups continue to refine their malware and expand targeting beyond traditional government entities into critical financial infrastructure. The shift toward banking sector targeting in India suggests the group may be diversifying its intelligence collection objectives.

Users should remain skeptical of unexpected emails and files, even those appearing to come from official sources or trusted organizations. Organizations should implement email authentication protocols, educate staff about spear-phishing risks, and monitor for suspicious DLL loading patterns.

Sources

• https://hackread.com/mustang-panda-india-s-korea-lotuslite-backdoor/

• https://thehackernews.com/2026/04/mustang-pandas-new-lotuslite-variant.html

• https://www.acronis.com/en/tru/posts/same-packet-different-magic-mustang-panda-hits-indias-banking-sector-and-korea-geopolitics/

• https://www.neuracybintel.com/articles/chinese-apt-mustang-panda-targets-indian-banks-and-korean-policy-circles-with-lotuslite-malware