New LOTUSLITE Backdoor Targets Indian Banking Sector, Linked to Mustang Panda Espionage Group
In a concerning development, researchers have identified that Microsoft-signed developer tooling is being misused to stealthily deploy a new variant of the LOTUSLITE backdoor specifically aimed at Indian banks and financial institutions. This alarming trend has been linked to the China-nexus espionage group known as Mustang Panda, with moderate confidence from cybersecurity experts.
The LOTUSLITE backdoor is designed primarily for espionage purposes, offering capabilities such as remote shell access, file operations, and session management. Notably, it lacks any obvious monetization features, indicating a focus on data gathering rather than financial theft. The communications from this backdoor are tunneled over HTTPS to a command-and-control (C2) endpoint hosted on dynamic DNS infrastructure at editor[.]gleeze[.]com. This method is consistent with previous LOTUSLITE activities, reflecting the group’s established operational patterns.
Dubbed LOTUSLITE v1.1, this updated implant maintains the core protocol and command set of the original LOTUSLITE campaign. This suggests that the variant is more of an iterative enhancement rather than an entirely new form of malware. Acronis Threat Research Unit (TRU) has observed that this latest LOTUSLITE build specifically targets India’s banking sector, shifting away from its earlier focus on U.S. government entities to banks and related organizations in the region.
Researchers assessing the codebase have noted that it is under active maintenance, with incremental changes made for evasion and operational flexibility. The attack chain typically initiates with spear-phishing, delivering a compiled HTML Help (CHM) file disguised as a banking “request for support” ticket. Upon opening the CHM file, users encounter a seemingly innocuous pop-up that leads to the execution of a Microsoft-signed executable (Microsoft_DNX.exe) and a malicious DLL, which are dropped into the C:\Users\Public\Documents directory. This execution process is facilitated by a JavaScript automation script that coordinates the entire operation by programmatically activating the ActiveX objects embedded within the CHM file.
Once executed, Microsoft_DNX.exe engages in DLL sideloading by making use of the LoadLibraryExW function to dynamically load a DLL located in the same directory. This allows the malware to run under the guise of a trusted Microsoft signature, thereby complicating detection efforts. The findings reveal a sophisticated and evolving methodology, as the same internal flags and identifiers are being rotated to dodge security measures, with a focus on maintaining operability across different environments.
Further examination indicates that the same LOTUSLITE v1.1 framework is also being employed in parallel campaigns against South Korean and U.S. policy communities. In these instances, the operators have employed diplomatic lures and spoofed identities of high-profile figures involved in security matters related to the Korean Peninsula and the Indo-Pacific region. They have adeptly rotated internal flags and altered C2 packet identifiers, showing intent to evade detection while maintaining similar operational behaviors.
The malware appears to have kept its core functionalities intact, with variations only seen in mutex names and decoy files. This indicates that the Mustang Panda group is refining a singular codebase for various geopolitical interests. Cybersecurity analysts have noted that such behaviors point to a strategic pivot in Mustang Panda’s focus, illustrating a broader shift from U.S. government targets to banks in India and diplomatic entities in Korea.
The implications of this malware’s activities are significant for cybersecurity stakeholders in the Indian financial sector and political organizations. As firms attempt to safeguard their systems, the LOTUSLITE v1.1 iteration underscores the necessity for stringent monitoring of signed binaries that load atypical same-directory DLLs, as well as vigilance regarding HTTPS traffic to dynamic DNS domains.
Even moderately advanced implants like LOTUSLITE can maintain sustained access if they utilize trusted tools and adapt continuously, addressing public security reporting. Cybersecurity professionals must remain vigilant against the evolving tactics of groups like Mustang Panda, amplifying their defenses against this sophisticated espionage threat that now extends beyond borders.