Same Packet, Different Magic: Mustang Panda Hits India's Banking Sector and Korea Geopolitics

    Thursday, April 23, 2026 In: Threat Research Print

    Date: 04/23/2026

    Severity: High

    Summary

    A new variant of the LOTUSLITE backdoor, attributed with moderate confidence to Mustang Panda, is targeting India’s banking sector using DLL sideloading with legitimate Microsoft-signed executables. The malware communicates with a dynamic DNS-based C2 over HTTPS and enables remote shell access, file operations, and session control, indicating espionage-driven objectives. Analysis shows strong code lineage with previous LOTUSLITE versions, along with evolving delivery methods and improved capabilities, reflecting ongoing development and a shift in targeting from U.S. government entities to financial institutions in India. 

    Indicators of Compromise (IOC) List

    Domains/Urls

    editor.gleeze.com

    www.cosmosmusic.com

    Hash

    Af31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec

    cc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8

    7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d

    9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d

    18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893

    6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135

    File Path

    C:\ProgramData\Microsoft_DNX\

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "www.cosmosmusic.com" or url like "www.cosmosmusic.com" or siteurl like "www.cosmosmusic.com" or domainname like "editor.gleeze.com" or url like "editor.gleeze.com" or siteurl like "editor.gleeze.com"

    Detection Query 2 :

    sha256hash IN ("6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135","Af31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec","cc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8","7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d","9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d","18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893")

    Detection Query 3 :

    resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("C:\ProgramData\Microsoft_DNX\")

    Detection Query 4 :

    technologygroup = "EDR" and objectname IN ("C:\ProgramData\Microsoft_DNX\")

    Reference:    

    https://www.acronis.com/en/tru/posts/same-packet-different-magic-mustang-panda-hits-indias-banking-sector-and-korea-geopolitics/#f5RvDAntRR                 


    Tags

    BackdoorMustang PandaIndiaDLLMicrosoftUnited StatesGovernment Services and FacilitiesFinancial ServicesMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.