Chinese APT Targets Indian Banks, Korean Policy in New Cyber Campaign

A newly identified Chinese advanced persistent threat (APT) group has launched a coordinated cyber‑espionage campaign against major Indian financial institutions and South Korean policy‑making bodies, according to researchers at Dark Reading. The operation, attributed with medium‑high confidence to the Chinese‑linked actor tracked as APT41 (also known as Winnti‑Group), is designed to harvest sensitive monetary‑policy data and strategic government documents. Initial forensic analysis shows the intrusions began in early February 2026, with the threat actors employing a blend of spear‑phishing lures and custom malware to gain initial access.

The technical arsenal used in the campaign includes a novel backdoor named "NitroShell" that is delivered via malicious Microsoft Word attachments. Once opened, the documents exploit a known vulnerability (CVE‑2022‑26899) in the Windows Common Log File System (CLFS) driver to elevate privileges and execute a DLL‑sideloading routine that loads the payload alongside a legitimate Microsoft binary. The implant communicates with command‑and‑control (C2) servers hosted on domains such as svc‑update[.]net and api‑config[.]ru using TLS‑encrypted HTTP beacons reminiscent of Cobalt Strike. Credential harvesting is performed with an in‑memory Mimikatz module, and exfiltrated data is packed into encrypted ZIP archives before being sent out over port 443.

Targets of the campaign include India’s largest banks—State Bank of India (SBI), HDFC Bank, and ICICI Bank—as well as the Reserve Bank of India (RBI), where attackers focused on internal regulatory drafts and exchange‑rate forecasts. On the Korean side, the threat actors singled out the Ministry of Foreign Affairs, the National Intelligence Service (NIS), and influential think‑tanks such as the Korea Institute for National Unification (KINU). The goal appears to be collection of financial‑regulation blueprints, bilateral trade negotiations, and assessments of regional security policies.

In response, CERT‑In issued an emergency advisory urging immediate patching of CVE‑2022‑26899, network segmentation of critical banking systems, and enhanced email filtering to block the malicious Word documents. Korean authorities have initiated a joint investigation with the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Security teams are advised to monitor for NitroShell-specific process creation events, block the identified C2 domains, and enforce multi‑factor authentication (MFA) across all privileged accounts to mitigate credential‑theft risks.