Ballot, Bytes, and Backdoors: Chinese APT Election Interference from the Balkans to South Asia

Elections are a consistent target for nation-state cyber operations. Our analysis shows that Chinese-nexus threat actors apply a structured and repeatable approach to election-related targeting beyond their immediate geographic scope.

Between late 2025 and early 2026, we tracked activity attributed to Mustang Panda (Earth Preta / UNC6384) across the Kosovo parliamentary elections, Myanmar’s political transition, and the Bangladesh Election Commission. Across these campaigns, we observed coordinated targeting of electoral institutions, diplomatic staff, and political observers in both the Balkans and South Asia using LNK to PowerShell execution chains, DLL sideloading via trojanized binaries, and the HANLOADER backdoor alongside elements of the PlugX ecosystem.

We show that these operations form a cross-regional election-targeting framework in which delivery chains, infrastructure patterns, and tooling are reused while lure content is adapted to local political contexts. We analyze the evolution of the delivery chain from hardcoded byte-offset extraction to magic-byte marker scanning, and identify stable tradecraft fingerprints that persist across campaigns.

Attendees will gain practical insight into identifying early-stage election-themed campaigns, correlating activity across regions, and prioritizing infrastructure linked to recurring tradecraft patterns.