LOTUSLITE - Targeted espionage leveraging geopolitical themes

Acronis Threat Research Unit (TRU) observed a targeted malware campaign against U.S. government entities leveraging a politically themed ZIP archive containing a loader executable and a malicious DLL. The executable is used to sideload and execute the DLL, which functions as the primary backdoor, tracked as LOTUSLITE. The backdoor, referred to as LOTUSLITE, is a custom C++ implant that communicates with a hard-coded IP-based command-and-control server and supports basic remote tasking and data exfiltration with a decent persistence technique indicating an espionage-focused capability set rather than financially motivated objectives. Infrastructure analysis and execution patterns show moderate-confidence overlap with Mustang Panda tradecraft, including delivery style, loader–DLL separation and infrastructure usage. Attribution is assessed at a behavioral level and does not rely on code reuse alone. The observed targeting is limited to U.S. government and policy-related entities, indicating a focused victim set. While the overall scale appears limited, the nature of the targets increases the potential strategic impact.

This campaign reflects a continued trend of targeted spear phishing using geopolitical lures, favoring reliable execution techniques such as DLL sideloading over exploit-based initial access. Mustang Panda is a long-running espionage-oriented state-aligned threat entity, known for aligning its operations with current geopolitical developments. The group has consistently leveraged themes tied to international conferences, bilateral engagements and region-specific political events to support targeted intrusion activity against government and policy-related entities. Operationally, Mustang Panda favors medium-complexity, repeatable execution techniques, most notably the extensive use of DLL sideloading to deploy custom implants via benign or trusted executables. The group has also demonstrated repeated reuse of infrastructure and tooling, enabling analysts to cluster activity and assess attribution, even in the absence of direct malware code reuse.

Our investigation began after identifying a spear phishing archive named “US now deciding what’s next for Venezuela.zip” that was uploaded for automated malware analysis from an IP address geolocated in the United States. The archive included a legitimate executable and a hidden, nonstandard DLL, a combination frequently associated with Mustang Panda tradecraft. Execution of the binary resulted in the DLL being loaded through sideloading, enabling covert execution of the malicious code. The executable launcher named as “Maduro to be taken to New York.exe” explicitly loads the malicious DLL using LoadLibraryW and resolves the exported function via GetProcAddress and transfers execution. Upon further inspection, we found that the kugou.dll which had been loaded by the launcher executable turned out to be acting as a backdoor, which we track as LOTUSLITE with the sole purpose of providing access to the threat actor, and execute certain commands depending on the circumstances. The first capability of the backdoor is the creation of an interactive cmd.exe shell with redirected standard I/O over anonymous pipes, enabling remote command execution and real-time command output retrieval. The implant relies on Windows WinHTTP APIs to connect to its command-and-control server, which helps it blend in with normal web traffic. The request itself is carefully made to look harmless. It uses a Googlebot User-Agent string, sets the referrer to Google, and presents the Host header as a Microsoft domain. Along with this, a fixed-session cookie is included, which likely serves as a simple way for the server to recognize the infected host.

To read the complete article see: Acronis.