The Lotus Evolves: Mustang Panda Targets Indian Banks in a New Espionage Pivot
Ddos 
Attack chain | Image: Acronis Threat Research Unit
The Acronis Threat Research Unit (TRU) has identified a significant shift in the operations of Mustang Panda, a prominent cyber-espionage group. Traditionally known for targeting government entities with geopolitical lures, the group has pivoted its focus toward India’s financial sector, deploying a sophisticated new variant of its signature malware dubbed LOTUSLITE.
According to the report, the campaign utilizes advanced “DLL sideloading” techniques to bypass modern defenses, leveraging a legitimate, Microsoft-signed executable to deliver the malicious payload.
This new variant is not a completely new tool but rather a refined evolution of the group’s existing toolkit. Code-level analysis confirms a “direct lineage to LOTUSLITE,” showing that the developer is actively maintaining and improving the implant between campaigns.
The researchers noted that:
“The variant we uncovered retains the same core architecture, command set and operational playbook as its predecessor, while introducing incremental improvements to evade detection”.
The campaign reflects a strategic shift in both geography and industry. While previous iterations of the LOTUSLITE cluster focused on U.S. government entities, this latest wave was specifically tailored for the Indian banking sector.
- Deceptive Lures: Implants were found embedded with specific references to HDFC Bank.
- Masquerading Software: The malware utilizes pop-ups designed to look like legitimate banking software to trick employees.
- Diplomatic Impersonation: Other strands of the campaign targeted policy circles in South Korea and the U.S. by “impersonating a prominent figure in Korean peninsula diplomacy”.
Despite the focus on banks, the TRU assessment suggests the primary objective remains information gathering rather than direct financial theft. The backdoor supports a range of espionage-focused tasks:
- Remote Shell Access: Allowing attackers to execute commands on the infected host.
- File Operations: Enabling the theft or modification of sensitive documents.
- Session Management: Maintaining long-term access to the compromised network.
The malware communicates with a dynamic DNS-based command-and-control server over encrypted HTTPS, further complicating detection efforts.
The Acronis TRU attributes this activity to Mustang Panda with moderate confidence, citing shared code lineage and consistent behavioral patterns. The group’s move from JavaScript loaders and CHM-based delivery to DLL sideloading demonstrates a commitment to refining their tradecraft.
As the report concludes, “Mustang Panda continues to rely on simple, well-tested techniques that remain effective when paired with targeted delivery and relevant lures”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
