New Delhi: India’s banking sector has come under fresh cyber surveillance after researchers flagged a new malware campaign linked to a known threat group. The activity marks a shift in targeting, moving away from traditional government entities to financial institutions.
The findings come from the Acronis Threat Research Unit, which reported that it “identified a new variant of the LOTUSLITE backdoor with a theme related to India’s banking sector.” The campaign was observed in March 2026 and appears to be part of a larger espionage effort rather than a direct financial attack.
LOTUSLITE backdoor shifts focus to indian banks
Researchers say the updated LOTUSLITE variant is built for stealth and control. It allows attackers to remotely access infected systems, manage files, and maintain sessions without drawing attention. The report notes that the malware “supports remote shell access, file operations and session management,” pointing to long-term surveillance capabilities.
What makes this campaign notable is its clear pivot in victim profile. Previous activity linked to this malware largely targeted government and diplomatic entities. The latest campaign instead uses banking related themes, including references like “HDFC Bank Limited” embedded within the code, to blend in with legitimate workflows.
Attack chain uses trusted Microsoft tools
The infection process relies on a mix of social engineering and technical evasion. It begins with a malicious CHM file, often disguised as a support related document. Once opened, the file triggers a sequence that downloads and executes a JavaScript payload.
This payload then leverages a legitimate Microsoft signed executable to load a malicious DLL. The use of a trusted binary is a key tactic. As the report explains, the malware is “delivered via DLL sideloading using a legitimate Microsoft-signed executable,” allowing it to bypass basic security checks.
The backdoor then connects to a remote command server over HTTPS, blending its traffic with normal internet activity.
Links to Mustang Panda?
The campaign has been attributed with moderate confidence to Mustang Panda. Researchers based this assessment on shared code structures, infrastructure patterns, and operational behaviour seen in earlier campaigns.
The report highlights that the malware retains “identical command structures, shared persistence mechanisms, and residual artefacts” from previous versions. These overlaps suggest the same developer or team continues to refine the tool rather than creating new malware from scratch.
LOTUSLITE shows active development
The latest LOTUSLITE version introduces small but meaningful changes. Internal flags have been modified, network signatures have been updated, and the code structure has become more modular. These adjustments are designed to evade detection systems that may have identified earlier variants.
Despite these updates, the core functionality remains unchanged. The malware continues to rely on simple techniques executed carefully. Researchers note that this combination of low complexity and targeted delivery keeps the campaign effective.
Implications for India’s financial sector
The shift toward banking targets raises concerns about data exposure and long term access within financial networks. This campaign does not appear focused on immediate financial theft. Instead, it aligns with espionage driven objectives, where attackers aim to lay low and stay inside systems and monitor activity over time.