Mustang Panda Hits India and S. Korea with Updated LOTUSLITE Backdoor

Summary

Acronis Threat Research Unit discovered that China-linked Mustang Panda has launched a dual-campaign targeting Indian financial institutions (HDFC Bank) and South Korean policy-makers using an updated LOTUSLITE v1.1 backdoor. The group employed DLL sideloading techniques, fake phishing emails impersonating US officials, and malicious CHM files to deliver the malware. Despite obfuscation attempts like rotating magic values and command flags, researchers linked the activity to Mustang Panda through shared infrastructure (editorgleeze.com) and residual code artifacts.

Full text

Security Cyber Attacks MalwareMustang Panda Hits India and S. Korea with Updated LOTUSLITE Backdoor Acronis reveals Mustang Panda is using a new LOTUSLITE backdoor to target Indian banks and Korean diplomats. Learn how this DLL sideloading attack works. byDeeba AhmedApril 22, 20262 minute read A group of China-linked hackers known as Mustang Panda has expanded its spying efforts to target the Indian financial sector and political circles in South Korea. The Acronis Threat Research Unit discovered the group’s latest activity after its previous campaign involving Venezuela-related lures designed to target US government earlier in 2026. Targeting HDFC Bank and Diplomacy Experts The hackers reportedly began this dual-sided campaign in March 2026. In India, they used a file named Request for Support.chm to trick workers in the banking sector. This file contained a pop-up window that mentioned HDFC Bank Limited to look official, and when a user clicked the file, it triggered a chain of events that involved downloading a malicious JavaScript file called music.js from the domain cosmosmusiccom. Acronis’ investigation, shared with Hackread.com, revealed that the hackers didn’t stop at support tickets. They even made fake pop-up windows that looked like real HDFC Bank software. While the workers thought they were looking at a banking app, a new version of the LOTUSLITE backdoor, called LOTUSLITE v1.1, was actually spying on the system. LOTUSLITE versions comparison (Source: Acronis) In another part of the campaign, the group pretended to be Victor Cha, a former Director for Asian Affairs at the US National Security Council. Using a fake Gmail account ([email protected]) with Mr Cha’s real photo, they sent out Google Drive links to folders named March 30. Inside were fake invitation letters crafted to infect the computers of policy-makers. Attack Chain (Source: Acronis) Same Tricks, New Names The hackers are using a method called DLL sideloading. They basically take a safe file signed by Microsoft (like Microsoft_DNX.exe) and put their own malicious file right next to it. The computer trusts the Microsoft name, so it lets that infected file run without a second thought. DLL sideloading into a signed executable (Source: Acronis) According to researchers, the group is trying to hide better. They rotated the internal code marker or ‘magic value,’ a specific code used to identify their traffic, from 0x8899AABB to 0xB2EBCFDF, and also replaced a command flag named –DATA with a new one called –ZoneMAX. Researchers also noted that the hackers used a service called Gleeze to communicate with their server at editorgleezecom. This is the same infrastructure used in previous attacks, which helped experts link the activity to Mustang Panda. Even though the group tried to update their methods, they left behind old code names like KugouMain and DataImporterMain in the new files. They even left a message in the code mentioning a security researcher who has been tracking them. Still, they are constantly upgrading their impersonating expertise and using trusted software to lure users, which makes it essential for everyone to stay sceptical of any unexpected emails or files, even if they look official. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AcronisbackdoorChinaCyber AttackCybersecurityIndiaLOTUSLITEMalwareMustang PandaSouth Korea Leave a Reply Cancel reply View Comments (0) Related Posts Security Malware Hackers caught using CNET website to spread nasty malware Yet another attempt by hackers to drop malware through CNET's download section that leaves a question mark on whether to download anything from CNET? bySudais Asif Security Cyber Crime Scams and Fraud 37K Chrome Users Tricked into Downloading Fake Adblock Plus Extension For those who use Adblock Plus alongside with Google Chrome web browser or recently installed its extension, here is… byWaqas Cyber Attacks Cyber Events Norway�s financial sector under massive cyber attack, Anonymous claims �responsibility� Norway�s�top financial institutions came under massive cyber attacks on Tuesday.Anonymous Norway appears to be behind this attack. The… byWaqas Security Employee training is key to keeping your enterprise safe No matter how strong a company’s defense systems are, it’s critical that they include comprehensive employee training for all employees. byWaqas

Indicators of Compromise

• malware — LOTUSLITE v1.1

Entities