LOTUSLITE backdoor targets US policy bodies with lures

Acronis researchers have identified a malware campaign dubbed LOTUSLITE that used politically themed emails and a ZIP attachment to target US government-related organisations, installing a backdoor for ongoing access.

The Acronis Threat Research Unit said the campaign is part of a broader trend in which attackers leverage real-world geopolitical events and breaking news to make phishing lures more credible. The group noted that this method can be effective even against organisations with strong phishing defences.

The campaign delivered a ZIP file containing a legitimate executable and a malicious dynamic link library (DLL). The executable loaded the DLL via sideloading, allowing the malicious code to run without exploits.

"Based on our analysis, we assess with moderate confidence that this campaign is attributable to Mustang Panda," said Acronis Threat Research Unit.

Acronis monitored malware activity tied to geopolitical developments between the United States and Venezuela, uncovering a targeted campaign that delivered a previously undocumented DLL-based backdoor.

The phishing archive identified by researchers was named "US now deciding what's next for Venezuela.zip". It included a legitimate program and a hidden DLL. The launcher executable, named "Maduro to be taken to New York.exe", was a renamed binary for a Tencent-owned music streaming service that explicitly loaded the malicious DLL via Windows APIs.

The DLL, kugou.dll, served as the primary backdoor. LOTUSLITE is a custom C++ implant with a hard-coded IP-based command-and-control server that supports basic remote tasking and data exfiltration. Its persistence techniques indicated an espionage-focused objective rather than financial gain.

The loader exhibited limited development maturity, with minimal error handling and limited defensive evasion, suggesting rapid operational deployment rather than a long-term maintained malware framework.

LOTUSLITE collected system information, including the computer name and username, could create an interactive cmd.exe shell for remote commands, enumerate files, and perform file operations.

The implant used Windows WinHTTP APIs to communicate with its command-and-control server. Traffic mimicked routine web activity, using a Googlebot User-Agent, a Google referrer, and a Microsoft domain in the Host header. A fixed-session cookie likely acted as a host identifier, while a hard-coded header sequence signalled valid implant requests.

LOTUSLITE created a directory at C:\ProgrammeData\Technology360NB, renamed the launcher to DataTechnology.exe, and executed it with a "-DATA" command line argument. It created a registry entry under the current user's Run key with the value name "Lite360", ensuring it runs on login.

The DLL exported two functions, EvtNext and EvtQuery, delivering messages referencing national identity, including statements distancing the author from Russia and claiming Chinese identity.

Samples communicated with a command-and-control server at 172[.]81[.]60[.]97, hosted in Phoenix, Arizona, using Dynu Systems for dynamic DNS. Passive network observations revealed repeated TCP connections on port 443.

Acronis assessed moderate confidence that Mustang Panda, a long-running espionage-focused, state-aligned threat group, was behind the campaign, based on delivery style, loader/DLL separation, and infrastructure usage. The researchers also referenced prior reporting involving KuGou executables in politically themed archives.

Acronis said the campaign targeted US government and policy-related entities and predicted that targeted spear-phishing using geopolitical lures would remain common.