Mustang Panda APT Targets Indian Banks and US-Korea Policy Circles in Espionage Campaign
Chinese state-sponsored APT Mustang Panda is targeting Indian banks, including HDFC Bank, alongside US and South Korean policy circles using spear-phishing and DLL sideloading to deploy the LotusLite backdoor.
Chinese state-sponsored advanced persistent threat (APT) Mustang Panda (aka TA416, Bronze President, Stately Taurus) has launched a new espionage campaign targeting India's banking sector, as well as US and South Korean policy circles. Researchers at Acronis Threat Research Unit (TRU) uncovered the operation, which uses spear-phishing emails and DLL sideloading to deploy a variant of the LotusLite backdoor disguised as legitimate banking software. The campaign marks a notable shift for Mustang Panda, which has historically focused on geopolitical espionage targets rather than financial institutions.
The attack chain begins with spear-phishing messages sent to employees at Indian banks, including HDFC Bank, India's largest private bank. The emails are disguised as basic IT help desk issues, though researchers lacked visibility into the exact content of the messages. Separately, the threat actors set up a Google account impersonating Dr. Victor Cha, a prominent American political scientist and former director for Asian affairs on the National Security Council under President George W. Bush. Using a fake email address (email protected) and a headshot of Cha, they targeted individuals involved in US-Korea diplomatic and policy communities.
Once victims open the malicious file, the attack triggers a classic DLL sideloading technique, which is commonly associated with Chinese threat actors. After establishing persistence via the Windows Registry, the malware delivers a variant of LotusLite, a backdoor that Mustang Panda has used for years. This latest version includes minor modifications to evade detection tools and is superficially disguised to mimic banking software, including a pop-up window and internal code function referencing HDFC Bank. The same malware was also delivered to Korean and American targets.
Mustang Panda's reliance on basic but effective techniques highlights persistent gaps in organizational security fundamentals. Santiago Pontiroli, team lead for Acronis TRU, noted that "a significant portion of nation-state activity relies on simple, well-understood techniques executed with discipline." He added that organizations focusing only on advanced threats risk leaving themselves exposed to campaigns like this one. The group's use of stale TTPs allows it to rotate minor indicators and redeploy quickly when a campaign is exposed.
While the targeting of Korean policy circles aligns with Mustang Panda's historical focus on geopolitical espionage, the attacks against India's financial sector are also motivated by intelligence gathering, not financial gain. Pontiroli explained that LotusLite lacks capabilities typically associated with banking malware, such as credential harvesting or payment interception. Instead, the targeting of institutions like HDFC Bank provides access to cross-border transactions, government-linked accounts, infrastructure financing, and trade flows — all valuable to a state-aligned actor.
The campaign underscores the evolving threat landscape in South Asia, where Chinese APTs are increasingly targeting critical infrastructure and financial systems. Acronis attributed the activity to Mustang Panda based on shared code, operational patterns, and the use of LotusLite, which is unique to this threat cluster. The findings serve as a reminder that even unsophisticated techniques can yield significant intelligence gains when executed persistently against organizations with inconsistent security controls.