Cybersecurity researchers have identified a new variant of the LOTUSLITE backdoor used in a campaign that targets India’s banking sector, while related activity also points to South Korean and U.S. policy circles.
KEY FACTS
- Payload The malware is an evolved version of LOTUSLITE with incremental changes.
- Delivery The campaign starts with a CHM file that hides a legitimate executable, a rogue DLL and an HTML lure.
- Technique The file uses DLL side-loading to extract and run the malware.
- Command server The backdoor connects to a dynamic DNS-based server over HTTPS.
- Targeting The activity includes India banking themes and separate lures tied to Korean peninsula policy.
An Acronis technical analysis said the backdoor supports remote shell access, file operations and session management, which points to espionage rather than financially motivated activity. The report said the group has continued to refine the malware while keeping much of its earlier playbook intact.
In the India-focused wave, the attack begins with a CHM file that contains malicious payloads and an HTML page prompting the user to click Yes. That action can silently fetch JavaScript from a remote server and then run the malware through DLL side-loading. The DLL communicates with editor.gleeze[.]com to receive commands and exfiltrate data of interest.
The report also linked similar artifacts to targets in South Korea, including people in policy and diplomatic circles. It said those lures appeared aimed at individuals involved in Korean peninsula affairs, North Korea policy discussions and Indo-Pacific security dialogues.
The earlier use of LOTUSLITE was reported in spear-phishing attacks against U.S. government and policy entities using decoys tied to U.S.-Venezuela geopolitical developments. That activity was attributed with medium confidence to Mustang Panda, a Chinese nation-state group.
WHY IT MATTERS
The campaign shows how the same malware family can be adapted for different geopolitical themes and regions while keeping core capabilities intact. For defenders, the combination of CHM files, DLL side-loading and spoofed web infrastructure highlights several detection points that can help limit compromise.