Cybersecurity researchers have uncovered a new variant of the Lotuslite malware, which is being distributed using lures related to India’s banking sector.
In the past, the malware operators focused on US government and policy organizations, but despite the change in targeting, the primary goal remains intelligence gathering rather than financial theft, Acronis researchers note.
Lotuslite acts as a backdoor that communicates with command-and-control servers over HTTPS using dynamic DNS services. It enables attackers to execute remote shell commands, manage files, and control active sessions.
The campaign has been attributed with medium confidence to the China-linked threat actor tracked as Mustang Panda, known for using geopolitical themes in spear-phishing attacks. Previous Lotuslite campaigns leveraged decoy content linked to international political developments to compromise targets.
In the latest campaign, the attack begins with a malicious Compiled HTML (CHM) file that contains a legitimate executable alongside a rogue DLL and embedded HTML content. Victims are prompted to click “Yes” in a pop-up message, which triggers the download of a JavaScript payload from a remote server. The malware is then executed using DLL side-loading techniques, helping it evade detection.
The DLL component, an updated version of Lotuslite, connects to attacker-controlled infrastructure to receive instructions and exfiltrate sensitive data.
In addition to India, similar artifacts have been identified targeting individuals in South Korea’s diplomatic and policy communities, particularly those involved in Korean Peninsula affairs and Indo-Pacific security discussions.
“The campaign reflects a shift in delivery tradecraft of Mustang Panda’s cluster delivering Lotuslite, which is moving from CHM-based delivery to JavaScript loaders to DLL sideloading across recent operations, while also pivoting geographically from US government entities to India's financial sector,” the researchers noted.