Chinese Cyber Group Targets Indian Banks, South Korean Policy Makers with New Malware
AI-generated from multiple sources. Verify before acting on this reporting.
SEOUL/NEW DELHI — Cybersecurity researchers identified a new variant of the LOTUSLITE malware on Tuesday, attributed to the Chinese nation-state group Mustang Panda, targeting financial institutions in India and policy circles in South Korea.
Acronis researchers Subhajeet Singha and Santiago Pontiroli disclosed the campaign, which marks a shift in the group’s operational focus toward espionage within the Indo-Pacific region. The malware, designed to exfiltrate sensitive data, has been deployed against banking sector entities in India and government-related organizations in South Korea. While the primary targets are in Asia, the infrastructure supporting the attacks includes servers located in the United States.
The campaign, active as of April 22, 2026, utilizes a sophisticated capability set aimed at long-term intelligence gathering. Analysts indicate the attacks are driven by geopolitical motivations related to regional security dynamics and affairs on the Korean peninsula. The group has historically focused on supply chain compromises and document-based attacks, but this latest variant demonstrates an evolution in their technical tradecraft.
Mustang Panda, a persistent threat actor linked to the Chinese government, has previously targeted defense contractors, think tanks, and media organizations. The new LOTUSLITE variant is engineered to evade detection by security software, allowing operators to maintain access to compromised networks for extended periods. The targeting of India’s banking sector suggests an interest in financial data and economic stability, while the focus on South Korean policy circles points to strategic intelligence gathering regarding diplomatic and security matters.
The discovery comes amid heightened tensions in the Indo-Pacific, where cyber espionage activities have increased among state-sponsored actors. Security firms are urging organizations in the targeted sectors to review their network defenses and monitor for indicators of compromise associated with the new malware variant. The campaign’s scope and the specific objectives of the attackers remain under investigation.
Questions persist regarding the full extent of the data compromised and whether other regions are currently under attack. Researchers are continuing to analyze the malware’s capabilities and the methods used to infiltrate the targeted networks. As the investigation develops, the cybersecurity community is expected to release additional guidance to help organizations defend against similar threats. The situation remains fluid as experts work to understand the broader implications of this espionage-focused campaign.