A new LOTUSLITE v1.1 backdoor variant was deployed in targeted campaigns against India’s banking sector and South Korean/U.S. policy circles, using DLL sideloading via Microsoft-signed binaries and CHM/JavaScript-based loaders. Attribution points to Mustang Panda with moderate confidence based on shared code lineage, residual exports (e.g., KugouMain), and reused Dynu-managed C2 infrastructure. #LOTUSLITE #MustangPanda
Keypoints
- Researchers identified an evolved LOTUSLITE variant (v1.1) that retains the original command set and architecture but adds evasion techniques like runtime API resolution and a rotated magic value.
- Delivery shifted to DLL sideloading using legitimate Microsoft-signed Microsoft_DNX.exe and earlier used CHM and JavaScript loaders leveraging ActiveX and hh.exe to extract and execute payloads.
- The implant communicates with dynamic DNS-based C2 infrastructure (editor[.]gleeze[.]com) over HTTPS and supports remote shell, file operations, and session management—consistent with espionage objectives.
- Code-level artifacts (identical command IDs, shared persistence via SHSetValueA, residual export names such as KugouMain/HDFCBankMain) link this build directly to the original LOTUSLITE codebase.
- The operator rotated operational artifacts (e.g., magic value 0x8899AABB → 0xB2EBCFDF, flag –DATA → –ZoneMAX) and modularized persistence to evade static detections while keeping core functionality unchanged.
- Attribution to Mustang Panda is assessed with moderate confidence based on overlapping infrastructure, developer habits (embedded messages like “goldenjackel12”), and repeated OPSEC mistakes across campaigns.
MITRE Techniques
- [T1566.001 ] Spearphishing Attachment – CHM used as the initial spear-phishing lure to deliver the loader and payload (‘spear phishing, known as Request for Support.chm’).
- [T1204.002 ] Malicious File (User Execution) – CHM popup and embedded HTML/JS tricked users into executing ActiveX controls to extract and run files (‘pop up that prompted the user to click on Yes’).
- [T1574.001 ] DLL Search Order Hijacking – DLL sideloading by placing a crafted DLL alongside a legitimate executable that calls LoadLibraryExW without a full path (‘it dynamically loaded the DLL at runtime using LoadLibraryExW and resolved the exported function DnxMain via GetProcAddress’).
- [T1218 ] Signed Binary Proxy Execution – Abuse of a Microsoft-signed binary (Microsoft_DNX.exe) to load and execute the malicious DLL under a trusted context (‘the executable was basically a Microsoft-signed binary known as Microsoft DNX’).
- [T1547.001 ] Registry Run Keys / Startup Folder – Persistence via writing a Run key under HKCU using SHSetValueA (‘using SHSetValueA to write a Run key under HKCU’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communications over HTTPS to blend with normal web traffic (‘communicated with a dynamic DNS-based command-and-control server over HTTPS’ / ‘connected over TCP port 443 to blend in with normal HTTPS traffic’).
- [T1027 ] Obfuscated Files or Information – Runtime API resolution and delayed imports to keep the DLL import table clean and evade static analysis (‘every single API call is wrapped in the same resolution pattern … so the DLL’s import table stays clean’).
Indicators of Compromise
- [SHA256 Hashes ] Malware sample hashes – Af31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec (Microsoft_DNX.exe), cc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8 (kwpswnsserver.exe), and 4 more hashes.
- [DLL Hashes ] Malicious DLL samples – 7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d (dnx.onecore.dll), 9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d (Microsoft.WindowsAppRuntime.Bootstrap.dll).
- [Archives / CHM ] Delivery artifacts – 18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893 (Request_for_Support.chm), 6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135 (MARCH 30.zip).
- [Domains ] Command and loader hosting – editor[.]gleeze[.]com (dynamic DNS C2), www[.]cosmosmusic[.]com (JS loader host serving music.js).
- [IP Address ] C2 infrastructure – 172[.]81[.]60[.]97 (Dynu-managed IP observed serving LOTUSLITE C2 under ASN AS398019).
- [Mutexes ] Runtime identifiers – mdseccoUk, 1ac5e7ee1a107499 (mutex values observed in different campaign samples).
- [File Names / Paths ] Lures and installation paths – Request_for_Support.chm (spear-phishing lure), Microsoft_DNX.exe (signed loader), C:ProgramDataMicrosoft_DNX (deployment/persistence location).