MUSTANG Panda, also known as TA416, Bronze President, or Stately Taurus, is now suspected of directing a campaign that targets India’s banking sector, beyond its traditional geopolitics focus. According to Acronis Threat Research Unit (TRU), researchers believe the activity belongs to Mustang Panda due to shared code and operational patterns, even though the TTPs appear unremarkable on the surface.
The attack chain begins with spear-phishing messages sent to Indian targets, disguised as simple IT help desk issues, leading to a Windows DLL sideloading intrusion and persistence via the Windows Registry. A backdoor variant known as LotusLite is used to establish shells, access files and conduct espionage, with minor edits to evade detection and a superficial disguise as legitimate banking software around HDFC Bank.
The campaign also touches Korea and the US policy ecosystem, where the group has impersonated a US political scientist to target policy circles, while India remains the primary banking sector focus.