Mustang Panda Deploys Updated LOTUSLITE Malware Against Indian Banks and South Korean Policy Targets

What happened

Acronis researchers have identified a new variant of LOTUSLITE malware attributed with medium confidence to Mustang Panda, a Chinese nation-state threat group, targeting India’s banking sector and South Korean and US policy and diplomatic communities.

The attack begins with a Compiled HTML file embedding a legitimate executable, a rogue DLL, and an HTML page that prompts the user to click “Yes.” That click silently retrieves and executes JavaScript malware from a remote server, which extracts and runs the malicious payload inside the CHM file through DLL side-loading. The rogue DLL is an updated version of LOTUSLITE that communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management. The Indian banking campaign uses lures embedding HDFC Bank references and pop-ups impersonating legitimate banking software.

The South Korean targeting arm of the campaign focuses on individuals within policy and diplomatic communities involved in Korean peninsula affairs, North Korea policy discussions, and Indo-Pacific security dialogues. Delivery in that campaign uses spoofed Gmail accounts and Google Drive for payload staging, with lures impersonating a prominent figure in Korean peninsula diplomacy.

Acronis describes the new LOTUSLITE variant as showing incremental improvements over its predecessor, indicating the malware is being actively maintained. Previous LOTUSLITE deployments targeted US government and policy entities using Venezuela-related geopolitical lures. The latest campaign represents a geographic and sectoral pivot while keeping the broader operational playbook intact.

Who is affected

Indian financial institutions, particularly those in the banking sector, are primary targets in the current campaign. South Korean and US policy professionals, diplomats, and researchers focused on Korean peninsula and Indo-Pacific affairs face targeted spear-phishing through spoofed Gmail accounts and Google Drive-hosted payloads.

Why CISOs should care

Mustang Panda’s expansion from US government targets to Indian banking and South Korean diplomatic circles in a single campaign illustrates how quickly Chinese espionage groups pivot targeting geographies while reusing and refining the same core tooling. The DLL side-loading delivery method and CHM lure format are well-established techniques that continue to succeed because they blend malicious execution with legitimate-looking user interactions.

The use of Google Drive for payload staging is particularly relevant for organizations relying on allow-list approaches to web filtering. Traffic to Google Drive is trusted by default in most enterprise environments, making it an effective staging platform for malware delivery that bypasses standard network controls.

3 practical actions

1. Block or restrict CHM file execution in environments where it is not operationally required: Compiled HTML files are a documented delivery mechanism for this and numerous other malware families. Restricting CHM execution via application control policies removes a meaningful portion of this attack surface.
2. Review controls on Google Drive and similar trusted cloud services as malware staging vectors: Allow-listing cloud storage platforms without behavioral inspection of downloads creates a blind spot that Mustang Panda is actively exploiting. Ensure endpoint controls inspect files downloaded from trusted cloud platforms regardless of the source domain’s reputation.
3. Brief policy, diplomatic, and financial sector staff on spear-phishing via spoofed Gmail accounts: The South Korean campaign specifically targets individuals in policy and research roles through Gmail impersonation. Staff in these roles should be trained to verify sender identity through out-of-band channels before opening attachments or clicking links, particularly those hosted on cloud storage platforms.