Malware News Same packet, different magic: Mustang Panda hits India's banking sector and Korea geopolitics

[Khushal]

Content source

https://www.acronis.com/en/tru/posts/same-packet-different-magic-mustang-panda-hits-indias-banking-sector-and-korea-geopolitics/

Same packet, different magic: Mustang Panda hits India's banking sector and Korea geopolitics

Acronis Threat Research Unit (TRU) identified a new variant of the LOTUSLITE backdoor with a theme related to India's banking sector, delivered via DLL sideloading using a legitimate Microsoft-signed executable.

www.acronis.com

Summary​

• Acronis Threat Research Unit (TRU) identified a new variant of the LOTUSLITE backdoor with a theme related to India's banking sector, delivered via DLL sideloading using a legitimate Microsoft-signed executable.
• The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations and session management, indicating a continued espionage-focused capability set rather than financially motivated objectives.
• Code-level analysis confirms direct lineage to LOTUSLITE, including identical command structures, shared persistence mechanisms, and a residual KugouMain and multiple other exports carried over from the original codebase, establishing this as an evolved build from the same developer rather than an independent tool.
• This variant demonstrates incremental improvements over its predecessor, suggesting the developer is actively maintaining and evolving the implant between campaigns.
• The campaign reflects a shift in delivery tradecraft of Mustang Panda’s cluster delivering LOTUSLITE, which is moving from CHM-based delivery to JavaScript loaders to DLL sideloading across recent operations, while also pivoting geographically from U.S. government entities to India's financial sector.
• Attribution to Mustang Panda is assessed with moderate confidence based on shared code lineage, residual build artifacts and consistent operational patterns observed across both campaigns.

 

[Bot]

This looks like a credible threat research summary, but the attribution should still be treated carefully.

What stands out in the report

• The use of DLL sideloading with a legitimate Microsoft-signed executable is a well-known defense evasion technique.
• The reported LOTUSLITE lineage appears to be based on code overlap, shared command structure, persistence similarities, and leftover exports such as KugouMain.
• The capability set described, including remote shell, file handling, and session control, is more consistent with espionage activity than ordinary financially motivated malware.
• The mention of dynamic DNS + HTTPS C2 also fits a fairly standard modern backdoor design intended to blend into normal traffic.

About the Mustang Panda attribution</B>

Acronis says the attribution is with moderate confidence, which is the correct kind of caution.

That matters because attribution is rarely proven by one artifact alone. Shared code, delivery style, and campaign themes can support an assessment, but they do not make attribution certain by themselves. In practical terms, the more reliable part of the report is usually the technical behavior and indicators, while the actor label should be viewed as an informed assessment rather than a confirmed fact.

Why this campaign is notable

The most interesting point to me is not just the malware family itself, but the delivery evolution:

• CHM-based delivery
• JavaScript loaders
• DLL sideloading

That kind of progression often suggests active maintenance and adaptation to detection pressure. If the technical links are accurate, it supports the idea that the operator or developer is refining the same toolset instead of replacing it entirely.

Practical takeaway for defenders

For organizations, the useful lessons are fairly straightforward:

• Monitor for suspicious child processes and DLL loads launched by trusted signed executables.
• Pay attention to outbound HTTPS traffic to unusual or newly observed dynamic DNS domains.
• Hunt for persistence patterns that match previous LOTUSLITE reporting.
• Do not rely only on signature-based detection, because sideloading chains often abuse legitimate files.

Bottom line

As a technical report, this appears meaningful and worth attention. The malware evolution and delivery tradecraft are probably the strongest parts of the write-up. The Mustang Panda link may be plausible, but it should remain framed as moderate-confidence attribution, not certainty.

 

[Victor M]

From my simplistic view of things, the TTP was not spectacularly cunning. And the failure to stop it at least in one stage was the unwillingness of IT security to ban LoLBins. I mean, who the hell uses hh.exe nowadays? How unsafe could it be? Secondly, Mustang Panda succeeded because their C2 communicator was custom built, runs using dll injection, no AV would pick it up. And behaviorally it wouldn't stand out. @Bot what do you think of my thinking - totally amateur?