A new LOTUSLITE backdoor campaign has targeted India’s banking sector using DLL sideloading with a legitimate Microsoft-signed executable, Microsoft_DNX.exe, to evade trust controls and endpoint defenses. Researchers said the malware was delivered through banking-themed archives and malicious CHM files containing a signed executable, a rogue DLL, and an HTML lure that prompts user interaction before fetching JavaScript from a remote server to extract and run the payload. The backdoor then connects over HTTPS to a dynamic DNS-based command-and-control server and enables remote shell access, file operations, and session management, behavior consistent with long-term espionage.
Acronis researchers linked the activity with moderate confidence to the China-associated Mustang Panda cluster, citing shared infrastructure and operational patterns with earlier LOTUSLITE operations. Related artifacts show the same tooling was also used against South Korean policy and diplomatic circles and U.S. individuals focused on Korean Peninsula affairs, North Korea policy, and Indo-Pacific security, indicating a broader multi-front espionage effort. The latest variant also changes a C2 packet magic value from earlier versions, suggesting the malware remains under active development to reduce detection and expand targeting.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
Acronis reported that the new LOTUSLITE variant communicates with a dynamic DNS-based HTTPS command-and-control server and supports remote shell, file operations, and session management. Researchers also noted a changed C2 packet magic value, suggesting the malware had evolved to evade existing detection signatures.
Researchers assessed the campaign with moderate or medium confidence as linked to the China-associated Mustang Panda cluster based on shared infrastructure and operational behavior. The attribution connected the India-focused activity to prior LOTUSLITE espionage operations.
The campaign used a legitimate Microsoft-signed executable, Microsoft_DNX.exe, alongside a malicious DLL to sideload LOTUSLITE and evade trust-based defenses. Reporting also described delivery through lure files containing the executable, rogue DLL, and decoy content that triggered payload execution.
Acronis Threat Research Unit identified a new espionage campaign targeting India's banking sector with banking-themed lures. The operation delivered a new LOTUSLITE variant and showed the malware remained under active development.
Breakglass Intelligence reported three distinct malicious Microsoft Saved Console (.msc) kill chains using WebDAV and Cloudflare-hosted infrastructure, including PowerShell download execution, DLL sideloading via a copied msdtc.exe, and a GrimResource-style technique in MMC. The investigation also recovered a Rust-based Mythic 'coffee' agent DLL and encrypted loader, while assessing only low-to-medium confidence that the MSC campaigns were related to Mustang Panda's LOTUSLITE activity.
Acronis found related LOTUSLITE artifacts aimed at South Korean and U.S. diplomatic and policy communities, particularly people focused on Korean Peninsula affairs, North Korea policy, and Indo-Pacific security. This indicated the infrastructure and tooling were being reused beyond a single lure theme.
Before the newly reported activity, LOTUSLITE had been observed in campaigns using U.S.-Venezuela geopolitical themes. Those earlier operations were later used as a baseline for comparing the new malware variant and targeting expansion.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
community.gurucul.com
Open sourcethehackernews.com
Open sourcecybersecuritynews.com
Open sourceintel.breakglass.tech
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.