Cyber espionage attack using LOTUSLITE malware targeting banks and policy organizations in India and South Korea

A new variant of the LOTUSLITE malware linked to the China-backed Mustang Panda group is targeting India’s banking sector and South Korean policy circles in advanced cyber-espionage campaigns. The attack uses spear-phishing techniques and malicious CHM files to deploy a backdoor capable of remote access, file manipulation, and data exfiltration

Cyber espionage attack using LOTUSLITE malware targeting banks and policy organizations in India and South KoreaCyber espionage attack using LOTUSLITE malware targeting banks and policy organizations in India and South Korea

The updated malware shows continuous evolution, using DLL side-loading and dynamic DNS-based command-and-control servers over HTTPS to maintain stealth and persistence. Researchers note that the campaign focuses on intelligence gathering rather than financial gain, expanding from earlier geopolitical targets to financial institutions in India and diplomatic entities in South Korea

This campaign highlights the growing sophistication of state-sponsored cyber threats and the shift toward region-specific targeting. Organizations are advised to strengthen phishing defenses, monitor unusual network activity, and implement advanced endpoint security to detect and block such stealthy malware operations.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Admin Console Corporate Edition EndPoint Security