Mustang Panda expands cyber espionage to India’s financial sector and South Korean politics

China-linked hacking group Mustang Panda has broadened its cyber espionage operations, now targeting India's financial sector and political circles in South Korea. This latest activity was identified by the Acronis Threat Research Unit, following a previous campaign in 2026 that used Venezuela-related lures against US government entities, as reported by HackRead.

Beginning in March 2026, Mustang Panda initiated a two-pronged attack. In India, malicious files like "Request for Support.chm" were distributed to banking sector employees, employing fake HDFC Bank pop-ups to disguise the download of a malicious JavaScript file. This led to the deployment of LOTUSLITE v1.1, a new version of their backdoor, to spy on systems.

Concurrently, in South Korea, the group impersonated Victor Cha, a former US National Security Council Director, using a fake Gmail account and Google Drive links to send infection-laden documents to policymakers. The attackers utilized DLL sideloading, embedding malicious code within legitimate Microsoft-signed files, and updated their internal code markers and command flags to evade detection. They also continued to use the Gleeze service for command and control, a tactic consistent with previous Mustang Panda operations. Despite attempts to obscure their methods by rotating identifiers and updating infrastructure, remnants of older code and naming conventions were found, linking the activity to Mustang Panda.

Source: HackRead