At least one US government official
January 19, 2026
•[ spearphishing, espionage, DLL sideloading ]
HackRead summarized Acronis research describing an espionage-oriented spearphishing campaign targeting U.S. government entities using Venezuela-related news as bait. The described chain used a lure archive and DLL sideloading to load a backdoor dubbed LOTUSLITE, enabling remote access actions such as file collection and command execution on compromised systems. The article stated the researchers attributed the activity with moderate confidence to the China-backed group Mustang Panda (aka HoneyMyte).
At least one undisclosed organization in Bangladesh
January 1, 2025
•[ cyber-espionage, typosquatting, Havoc C2 ]
Industrial Cyber summarized Arctic Wolf Labs findings that SloppyLemming conducted an extensive cyber-espionage campaign from January 2025 through January 2026 targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. The report notes recurring tradecraft such as typosquatted government-themed infrastructure, Cloudflare Workers use, Havoc C2, and DLL sideloading, and names several targeted entities across defense, telecom, energy, and nuclear regulation. This is campaign-level reporting with multiple targets rather than a single incident record.
