The China-linked cyber-espionage group Mustang Panda is behind a new campaign using an updated version of the LOTUSLITE backdoor to target banks in India and individuals connected to South Korean diplomatic and security affairs. According to the Acronis Threat Research Unit, these attacks show the group continues to refine its tooling while widening both its geographic focus and intelligence objectives.
The new malware variant is delivered via DLL sideloading, where attackers abuse legitimate Microsoft-signed files to load malicious code without raising suspicion. LOTUSLITE then communicates with a command-and-control server over encrypted HTTPS traffic, giving the attackers remote control, file management, and session control capabilities. Researchers say these features point clearly to espionage activity rather than financially motivated crime.
New attack chain with more concealed delivery
The attack begins with spear-phishing that delivers a malicious CHM file themed around the Indian banking sector. When opened, a JavaScript-based loader stage fetches and executes malware via DLL sideloading using a legitimate Microsoft component. This technique allows malicious code to run under the guise of a trusted application, making detection by traditional security solutions more difficult.
Acronis notes that the LOTUSLITE variant includes several technical changes compared to earlier releases, such as new command flags, modified internal identifiers, updated API call chains, and new sideloading binary files. At the same time, clear remnants from previous LOTUSLITE versions remain, reinforcing the link to Mustang Panda according to researchers.
From geopolitical lures to financial targets
Mustang Panda previously focused mainly on government bodies, diplomatic targets, and policy-related organizations. The notable shift in this campaign is the addition of Indian banks as targets, while indicators also point to individuals involved in South Korean diplomacy and security policy. This suggests a broadening of the group’s intelligence priorities rather than a simple geographic expansion.
Researchers describe these attacks as a clear example of how state-linked threat actors continue to rely on relatively straightforward but well-proven techniques. Their success often depends more on social engineering, relevant lures, and trusted system components than on novel, advanced exploits.
A growing threat to critical sectors
For security teams, the campaign demonstrates that DLL sideloading, dynamic DNS infrastructure, and legitimate signed binaries remain effective methods for establishing covert presence in target environments. At the same time, LOTUSLITE shows that Mustang Panda actively evolves its toolset between campaigns to reduce detection risk and adapt to new targets.
Acronis assesses with moderate confidence that the attacks can be attributed to Mustang Panda, based on code similarities, infrastructure patterns, delivery methods, and recurring operational errors seen in prior campaigns. For banks, government agencies, and policy organizations, this is a reminder that even relatively simple attack chains can form a serious cyber-espionage threat when combined with social manipulation and trusted system components.