A targeted cyber-espionage operation has been reported against U.S. government and policy-focused organizations, using Venezuela-themed spear-phishing lures to deliver a custom backdoor dubbed LOTUSLITE. The activity has been attributed with moderate confidence to the China-aligned threat actor Mustang Panda (also tracked as Earth Preta, HoneyMyte, and Twill Typhoon), based on overlaps in tradecraft and infrastructure consistent with prior campaigns.
The initial access method relies on a malicious ZIP archive named US now deciding what’s next for Venezuela.zip, which contains a legitimate executable (described as a renamed Tencent music streaming service binary, e.g., Maduro to be taken to New York.exe) and a malicious DLL kugou.dll. When the signed/legitimate executable is launched, it DLL-sideloads the malicious DLL, executing LOTUSLITE without requiring exploit-based intrusion; reporting characterizes the campaign as limited in scale but highly precise in targeting, and notes the implant is a custom C++ espionage tool with persistence mechanisms despite indications of relatively low development maturity in parts of the loader.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Public reporting disclosed LOTUSLITE's persistence methods, command-and-control behavior, and capabilities, including use of a hard-coded C2 at 172.81.60.97 over port 443, WinHTTP communications, a Googlebot user-agent, a mutex, and remote shell and file-operation functions. Researchers also recommended mitigations such as blocking the C2 IP and monitoring for DLL sideloading and specific persistence artifacts.
Acronis Threat Research Unit linked the LOTUSLITE campaign with moderate confidence to the China-aligned group Mustang Panda based on tradecraft and infrastructure overlaps, including DLL sideloading patterns and use of legitimate executables. The reporting described the malware as a custom C++ espionage implant focused on persistence, remote tasking, and carefully selected high-value victims.
A targeted espionage campaign used Venezuela-themed spear-phishing lures, including a ZIP archive about U.S.–Venezuela relations, to target U.S. government and policy-related organizations. The operation relied on a legitimate Tencent-associated executable to sideload a malicious DLL that installed the custom LOTUSLITE backdoor.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
rescana.com
Open sourcesecurityonline.info
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.