Back

Mustang Panda Targets Indian Banking Sector Amid Geopolitical Tensions

Severity: High (Score: 60.0)

Sources: Acronis, Darkreading

Summary

Mustang Panda, a Chinese APT group, has shifted its focus to India's banking sector, utilizing the LOTUSLITE backdoor in recent campaigns. This activity, observed in March 2026, diverges from its typical targets, which include government entities, and indicates a potential geopolitical espionage motive. The attack vector primarily involves spear phishing, with malicious CHM files disguised as IT support requests sent to banking institutions. The malware features minor modifications to evade detection and mimics legitimate banking software, specifically referencing HDFC Bank. Researchers from Acronis have linked this campaign to Mustang Panda based on shared code and operational patterns. Additionally, the group has targeted American and Korean policy circles, using impersonation tactics. The overall technical sophistication of the attacks remains low, with stale TTPs noted by analysts. The investigation is ongoing, with further analysis needed to understand the full scope of the threat. Key Points: • Mustang Panda has targeted the Indian banking sector using the LOTUSLITE backdoor. • Spear phishing tactics involve malicious CHM files disguised as IT support requests. • The campaign also targets American and Korean policy circles, indicating broader geopolitical interests.

Key Entities

  • Bronze President (apt_group)
  • Mustang Panda (apt_group)
  • Stately Taurus (apt_group)
  • Ta416 (apt_group)
  • Malware (attack_type)
  • Phishing (attack_type)
  • HDFC Bank (company)
  • China (country)
  • India (country)
  • North Korea (country)
  • South Korea (country)
  • gmail.com (domain)
  • Financial (industry)
  • Lotuslite (malware)
  • T1055 - Process Injection (mitre_attack)
  • T1059.007 - JavaScript (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1547 - Boot Or Logon Autostart Execution (mitre_attack)
  • T1566.001 - Spearphishing Attachment (mitre_attack)
  • Windows (platform)
  • Hh.exe (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed