MUSTANG Panda’s new LOTUSLITE variant has been observed targeting India’s banking sector, with additional activity affecting South Korea’s policy circles, according to Acronis researchers Subhajeet Singha and Santiago Pontiroli. The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management, indicating an espionage-focused capability rather than purely financially motivated aims.
The campaign marks an evolved LOTUSLITE, described as having incremental improvements over the previous version, and shows a geographic pivot away from prior waves by concentrating on India while keeping the core playbook intact. The infection chain begins with a Compiled HTML file embedding a legitimate executable and a rogue DLL, plus an HTML pop-up prompting the user to click Yes, after which a JavaScript malware is retrieved from a remote server.
The DLL, dnx.onecore[.]dll, is part of DLL side-loading and communicates with the domain editor.gleeze[.]com to receive commands and exfiltrate data, with related artifacts also used to reach South Korean policy contacts via spoofed Gmail accounts and Google Drive staging.