Mustang Panda Targets Indian Banking Sector Amid Geopolitical Tensions

Mustang Panda Targets Indian Banking Sector Amid Geopolitical Tensions

First seen 21 Apr 2026, 22:15 UTC DarkreadingAcronisNews9LiveScworldhackread.com 80% similarity 60.0

Article Content

Browse articles
ThreatCluster

Mustang Panda, a Chinese APT group, has shifted its focus to India's banking sector, utilizing the LOTUSLITE backdoor in recent campaigns. This activity, observed in March 2026, diverges from its typical targets, which include government entities, and indicates a potential geopolitical espionage motive. The attack vector primarily involves spear phishing, with malicious CHM files disguised as IT support requests sent to banking institutions. The malware features minor modifications to evade detection and mimics legitimate banking software, specifically referencing HDFC Bank. Researchers from Acronis have linked this campaign to Mustang Panda based on shared code and operational patterns. Additionally, the group has targeted American and Korean policy circles, using impersonation tactics. The overall technical sophistication of the attacks remains low, with stale TTPs noted by analysts. The investigation is ongoing, with further analysis needed to understand the full scope of the threat.

Key Points: • Mustang Panda has targeted the Indian banking sector using the LOTUSLITE backdoor. • Spear phishing tactics involve malicious CHM files disguised as IT support requests. • The campaign also targets American and Korean policy circles, indicating broader geopolitical interests.

ThreatCluster AI

Timeline

2026-03-01
New LOTUSLITE backdoor activity observed targeting Indian banks
2026-04-21
Acronis publishes report linking attacks to Mustang Panda
2026-04-21
Malicious CHM files identified in spear phishing campaigns

Community

Browse all →