"The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management, indicating a continued espionage-focused capability set rather than financially motivated objectives," Acronis researchers Subhajeet Singha and Santiago Pontiroli wrote.
LOTUSLITE backdoor: dynamic DNS C2 over HTTPS and espionage capabilities
Acronis analysts describe an evolved variant of the LOTUSLITE backdoor that uses dynamic DNS-based command-and-control and HTTPS for communications. The implant supports interactive remote shell access, file operations and session management—functions consistent with data collection and access persistence rather than direct financial theft, the researchers said. Acronis observed the family previously in spear-phishing campaigns that used geopolitical decoys tied to U.S.–Venezuela developments; that activity was attributed with medium confidence to a Chinese nation-state group tracked as Mustang Panda.
CHM delivery chain: cosmosmusic[.]com, a malicious JavaScript, and DLL side‑loading via dnx.onecore.dll
The attack chain begins with a Compiled HTML (CHM) file that bundles a legitimate executable, a rogue DLL and an HTML page containing a pop-up which prompts the user to click "Yes." That design is intended to retrieve a JavaScript loader from the remote host cosmosmusic[.]com. The JavaScript extracts and runs the payload from the CHM and uses DLL side‑loading to load the malicious library, identified in the analysis as dnx.onecore.dll. Once active, the DLL variant of LOTUSLITE reaches back to the domain editor.gleeze[.]com to receive commands and exfiltrate data.
India’s banking sector: HDFC Bank references and pop-ups masquerading as banking software
Acronis flagged a geographic pivot in the latest wave: operators adapted lures to focus primarily on India’s banking sector. The implants include references to HDFC Bank and deploy pop-ups that impersonate legitimate banking software, shaping the social-engineering element toward corporate or retail banking users. Aside from the change in target vertical and national focus, Acronis noted the rest of the operational playbook remains largely intact—same CHM-to-JavaScript-to-DLL sequence and the same C2 techniques—with only "incremental improvements" to the malware itself, suggesting active maintenance and refinement by the operators.
South Korea and U.S. policy circles: impersonation, spoofed Gmail accounts, and Google Drive staging
Beyond India, investigators uncovered artifacts specifically targeting South Korean entities, naming individuals within the policy and diplomatic community. Acronis said the group appears to have been targeting certain entities belonging to the South Korean and U.S. diplomatic and policy communities—particularly people involved in Korean peninsula affairs, North Korea policy discussions and Indo‑Pacific security dialogues. In those cases the campaign imitated a prominent figure in Korean peninsula diplomacy and delivered malicious content via spoofed Gmail accounts and Google Drive staging, according to the analysis.
What this means for India’s banks, South Korean and U.S. policy communities, and security teams
- India’s banks (HDFC Bank references): Banking operations and IT teams should prioritize detection of CHM file execution and DLL side‑loading patterns tied to dnx.onecore.dll, and monitor network connections to editor.gleeze[.]com and cosmosmusic[.]com as observable indicators identified by Acronis.
- South Korean and U.S. diplomatic and policy communities: Individuals engaged in Korean peninsula affairs, North Korea policy and Indo‑Pacific dialogues should be alert to impersonation via spoofed Gmail addresses and Google Drive-based staging that mimic trusted contacts, especially messages that request interaction with embedded HTML or CHM content.
- Security teams and incident responders: The campaign’s use of dynamic DNS C2 over HTTPS and incremental malware updates implies an active operator refining tradecraft; defenders should correlate behavioral indicators—remote shell sessions, file exfiltration patterns and session-management artifacts—rather than relying solely on static signatures.
Taken together, the findings portray a maintained espionage toolset redirected to new targets while conserving a proven delivery playbook: CHM lures that trigger a remote JavaScript loader, DLL side‑loading of an upgraded LOTUSLITE implant, and encrypted communications to dynamic DNS-backed controllers. Acronis’ naming of domains and file artifacts provides concrete leads for detection and hunting; the broader takeaway is that the actors are iterating on a stable workflow and expanding their target set from earlier U.S.-focused geopolitical lures to India’s banking sector and diplomatic-policy networks tied to the Korean peninsula.
Original story: https://thehackernews.com/2026/04/mustang-pandas-new-lotuslite-variant.html
