Ethical Hacking News
Chinese spies used a recent phishing campaign targeting US government agencies and policy-related organizations after the capture of Venezuelan President Nicolás Maduro. The attackers were attributed to a Beijing-backed espionage crew known as Mustang Panda, and exploited vulnerabilities in SiteCore products and Windows flaws to gain access to victims' environments. While it's unclear whether the attackers successfully compromised any targeted computers, the campaign highlights the ongoing threat posed by Chinese cyberespionage and the need for vigilance and cooperation to counter this threat.
The phishing campaign targeted US government agencies and policy-related organizations. The attack was attributed to a Beijing-backed espionage crew known as Mustang Panda. The campaign used a zip file with a malicious DLL-based backdoor called Lotuslite. The attackers exploited a ViewState deserialization zero-day vulnerability in SiteCore products. The targeting appears to be selective, suggesting the attackers were attempting to exploit specific vulnerabilities. China's cyberespionage efforts are ongoing and event-responsive, rather than static.
China has been using its espionage efforts to capitalize on geopolitical events, and a recent phishing campaign is a prime example of this. The attack, which began just days after the capture of Venezuelan President Nicolás Maduro, targeted US government agencies and policy-related organizations.
According to Acronis Threat Research Unit, the campaign was attributed to a Beijing-backed espionage crew known as Mustang Panda (also referred to as UNC6384 or Twill Typhoon). This group has been tracked by US law enforcement and cyber agents for years, and has been blamed for breaking into numerous government and private organizations in the US, Europe, and the Indo-Pacific region.
The phishing campaign used a zip file named "US now deciding what's next for Venezuela" as its lure. The zip file contained a legitimate executable and a hidden, DLL-based backdoor called Lotuslite. Acronis' threat hunters detailed the crew's latest campaign and provided a technical analysis of its new Lotuslite malware.
The attack was described by Santiago Pontiroli, a threat intelligence research lead at Acronis, as "precise" and "targeted." However, it's unclear whether the attackers successfully compromised any targeted computers. The targeting appears to be selective rather than broad spray and pray, suggesting that the attackers were attempting to exploit specific vulnerabilities or opportunities.
The campaign is part of a broader pattern of ongoing cyberespionage activity by China that is opportunistic and event-responsive rather than static. In this particular case, the attackers moved fast immediately after Maduro was captured, indicating a level of urgency and desperation in their efforts.
It's worth noting that the attackers exploited a ViewState deserialization zero-day vulnerability in SiteCore products to gain initial access to victims' environments. This vulnerability was patched in September 2025, but it appears that the attackers were aware of its existence before it was publicly disclosed.
Mustang Panda is known for using medium-complexity, repeatable execution techniques to deploy custom implants via benign or trusted executables. The campaign's use of DLL sideloading and a hidden backdoor called Lotuslite suggests a high level of sophistication and expertise on the part of the attackers.
The campaign's targeting and tactics suggest that China is continuing to use its espionage efforts to advance its interests in the US and elsewhere. As such, it highlights the ongoing threat posed by Chinese cyberespionage and the need for vigilance and cooperation between governments, industry, and civil society to counter this threat.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-Spies-Use-Maduros-Capture-as-Lure-to-Phish-US-Agencies-ehn.shtml
Published: Thu Jan 15 16:21:06 2026 by llama3.2 3B Q4_K_M
