Mustang Panda Deploys Updated LOTUSLITE Backdoor Against Indian Banking Sector and South Korean Policy Targets
Acronis researchers have identified a new variant of the LOTUSLITE backdoor being deployed by Mustang Panda in campaigns targeting India's banking sector and South Korean policy communities. The updated malware demonstrates incremental refinements over its predecessor, confirming active maintenance by the Chinese nation-state group as it broadens its geographic and sectoral targeting.
LOTUSLITE was previously observed in spear-phishing campaigns against US government and policy entities using geopolitical lures related to US-Venezuela relations, attributed with medium confidence to Mustang Panda. The latest wave marks a significant geographic pivot — the operational playbook remains largely intact, but the target set has expanded considerably.
The India-focused campaign uses Compiled HTML (CHM) files embedding a legitimate executable alongside a rogue DLL, packaged with an HTML page that presents a pop-up prompting the user to click "Yes." This triggers the silent retrieval and execution of JavaScript malware from cosmosmusic[.]com, which extracts and runs the embedded payload via DLL side-loading. The sideloaded DLL (dnx.onecore.dll) is the updated LOTUSLITE variant, communicating with editor.gleeze[.]com over HTTPS to receive commands and exfiltrate data. The lures specifically reference HDFC Bank, with pop-ups masquerading as legitimate banking software to increase credibility.
A parallel campaign targets individuals within South Korean and US diplomatic and policy communities — specifically those involved in Korean peninsula affairs, North Korea policy discussions, and Indo-Pacific security dialogues. These attacks impersonate a prominent figure in Korean peninsula diplomacy, delivered via spoofed Gmail accounts with payloads staged on Google Drive.
The backdoor itself maintains its espionage-focused capability set: remote shell access, file operations, and session management over HTTPS using dynamic DNS-based C2 infrastructure. The use of dynamic DNS for command-and-control makes infrastructure tracking more difficult and allows rapid domain rotation without changing the underlying server.
The broadening target set is the significant takeaway. Mustang Panda has moved from a narrow focus on US government entities to a multi-front campaign spanning Indian financial institutions, South Korean diplomatic circles, and US policy communities — all within the same operational framework and malware family.
Defensive Guidance:
Organizations in the Indian banking sector and entities involved in Korean peninsula or Indo-Pacific policy should be on heightened alert for spear-phishing delivering CHM file attachments. Block execution of CHM files from email where possible, and monitor for DLL side-loading activity involving dnx.onecore.dll. Block the identified C2 domains cosmosmusic[.]com and editor.gleeze[.]com at the network perimeter. Flag emails from spoofed Gmail accounts that reference Korean peninsula diplomacy or banking software updates, particularly those linking to Google Drive-hosted payloads. Review endpoint telemetry for HTTPS connections to dynamic DNS services from unexpected processes.
