LOTUSLITE

LOTUSLITE is a custom C++ backdoor associated with the China-linked espionage cluster Mustang Panda, with reporting assessing the attribution at moderate to high confidence depending on the campaign. It has been used in targeted espionage operations against U.S. government and policy-focused organizations, India’s banking sector, and South Korean and U.S. diplomatic and policy communities. Reported lure themes include U.S.–Venezuela political developments, India banking/HDFC Bank themes, and Korean policy and diplomatic topics.

Observed delivery commonly relies on DLL sideloading with legitimate executables. In earlier campaigns, a ZIP archive such as "US now deciding what’s next for Venezuela.zip" contained a renamed legitimate Tencent KuGou executable (for example, "Maduro to be taken to New York.exe") that loaded a malicious DLL named kugou.dll. Additional reporting describes a related chain using a legitimate KuGou component (WebFeatures.exe) and a first-stage downloader DLL (libmemobook.dll), with persistence under C:\ProgramData\CClipboardCm\ and C:\ProgramData\WebFeatures. More recent LOTUSLITE activity targeting India used legitimate Microsoft-signed executables, including Microsoft_DNX.exe, to sideload an updated malicious DLL such as dnx.onecore.dll. Acronis also reported a CHM-based chain in which the CHM contained a legitimate executable, a rogue DLL, and an HTML lure that prompted the victim to click "Yes," after which JavaScript was fetched from cosmosmusic[.]com to extract and execute the payload.

LOTUSLITE capabilities consistently described across reporting include remote shell or remote command execution, file and directory enumeration, file manipulation/operations, session management or session control, beaconing, system and user profiling/enumeration, and data exfiltration. Multiple reports characterize the malware as espionage-focused rather than financially motivated. In the Venezuela-themed campaign, LOTUSLITE communicated with a hard-coded IP-based C2 at 172.81.60.97 over TCP/443 using WinHTTP, attempted to blend into benign traffic with a Googlebot User-Agent, Google referrer, Microsoft Host header, and a fixed session cookie, and used a custom protocol magic header 0x8899AABB. Later variants were reported to use dynamic DNS-based HTTPS C2 infrastructure and an updated packet magic value.

Persistence artifacts reported for LOTUSLITE include creation of C:\ProgramData\Technology360NB, renaming the launcher to DataTechnology.exe with a "-DATA" argument, and a Run key named Lite360 under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Other related persistence observed in later chains includes HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ACboardCm pointing to C:\ProgramData\CClipboardCm\SafeChrome.exe and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ASEdge launching C:\ProgramData\WebFeatures\WebFeatures.exe -Edge. A global mutex Global\Technology360-A@P@T-Team was also reported.

High-confidence indicators mentioned in the content include kugou.dll, dnx.onecore.dll, libmemobook.dll, Microsoft_DNX.exe, WebFeatures.exe, the C2 IP 172.81.60.97, domains editor.gleeze.com and www.cosmosmusic.com / cosmosmusic[.]com, the compromised staging domain www.e-kflower[.]com, the path C:\ProgramData\Microsoft_DNX, and the persistence path C:\ProgramData\Technology360NB.