New "LOTUSLITE" Backdoor Targets U.S. Government in Suspected Mustang Panda Campaign • Daily CyberSecurity

A new espionage campaign targeting U.S. government entities has been uncovered, utilizing a custom backdoor dubbed LOTUSLITE. Researchers from the Acronis Threat Research Unit (TRU) have linked the activity with moderate confidence to the China-aligned threat group Mustang Panda, citing overlaps in tradecraft and infrastructure.

The campaign capitalizes on high-stakes geopolitical tensions, using a spear-phishing strategy that lures victims with documents related to U.S.-Venezuela relations.

The attack vector is classic but effective. The TRU team identified a malicious ZIP archive titled “US now deciding what’s next for Venezuela.zip”. While the scale of the campaign appears limited, the precise nature of the targeting—focused strictly on U.S. government and policy-related entities—raises the stakes regarding potential strategic impact.

LOTUSLITE BackdoorMustang Panda Espionage — Attack Chain | Image: Acronis

According to the report, “This campaign reflects a continued trend of targeted spear phishing using geopolitical lures, favoring reliable execution techniques such as DLL sideloading over exploit-based initial access”.

Rather than using sophisticated zero-day exploits, the attackers relied on DLL sideloading, a technique frequently associated with Mustang Panda’s operations.

The infection chain involves a legitimate, signed executable—a launcher for a Tencent-owned music streaming service—which is used to sideload a malicious DLL file named kugou.dll. By placing the malicious DLL in the same directory as the trusted application, the attackers trick the legitimate program into running their code.

“The executable is used to sideload and execute the DLL, which functions as the primary backdoor, tracked as LOTUSLITE,” reads the report.

The payload, LOTUSLITE, is a custom C++ implant designed for espionage rather than financial gain. While researchers noted that the loader demonstrates “low development maturity” with minimal error handling, it possesses a decent persistence technique and supports remote tasking.

Once established, the backdoor communicates with a command-and-control (C2) server using a hard-coded IP address. To blend in with normal network traffic, it mimics legitimate web requests:

It uses a Googlebot User-Agent string.
It sets the referrer to Google and the Host header to a Microsoft domain.
It utilizes a “magic” hex marker (0x8899AABB) to authenticate itself to the C2 server.

For persistence, the malware creates a directory in C:\ProgramData and adds a registry entry under the current user’s “Run” key, ensuring it executes every time the user logs in.

One of the more bizarre aspects of the analysis involves hidden messages within the malware’s export functions. The researchers found “developer-inserted messaging” that appears to reference national identity.

“One function includes text distancing the author from a Russian origin, while the other contains an explicit self-identification statement claiming Chinese identity”.

Acronis TRU assesses with moderate confidence that the campaign is attributable to Mustang Panda. This conclusion is not based on code reuse alone, but rather on behavioral patterns, including the delivery style, the separation of the loader and DLL, and the specific use of legitimate executables like the “KuGou” music player.

The discovery of LOTUSLITE serves as a reminder that advanced persistent threats (APTs) often rely on operational reliability over technical complexity. As the report concludes, “While the malware itself demonstrates limited technical sophistication, its selective targeting and contextual lure usage indicate deliberate victim selection”.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply