Mustang Panda’s Evolved LOTUSLITE Malware Targets India’s Banking Sector and South Korean Policy Circles
Cybersecurity researchers have identified a new variant of the LOTUSLITE malware, now being disseminated through themes related to India’s banking sector. This backdoor communicates with a dynamic DNS-based command-and-control (C2) server over HTTPS, supporting remote shell access, file operations, and session management. These capabilities suggest a focus on espionage rather than financial gain.
Previously, LOTUSLITE was observed in spear-phishing attacks targeting U.S. government and policy entities, using decoys associated with U.S.-Venezuela geopolitical developments. This activity was attributed with medium confidence to the Chinese nation-state group known as Mustang Panda.
The latest campaign showcases an evolved version of LOTUSLITE with incremental improvements, indicating active maintenance and refinement by its operators. Notably, the campaign has shifted geographically, now focusing on India’s banking sector while maintaining the core operational tactics.
The attack initiates with a Compiled HTML (CHM) file containing malicious payloads—a legitimate executable and a rogue DLL—alongside an HTML page that prompts the user to click Yes. This action silently retrieves and executes JavaScript malware from a remote server (cosmosmusic[.]com), which then extracts and runs the malware within the CHM file using DLL side-loading. The DLL (dnx.onecore.dll) is an updated LOTUSLITE version that communicates with the domain editor.gleeze[.]com to receive commands and exfiltrate data.
Further analysis has uncovered similar artifacts targeting South Korean entities, particularly individuals within the policy and diplomatic community. The group appears to be targeting entities involved in Korean peninsula affairs, North Korea policy discussions, and Indo-Pacific security dialogues.
This expansion of targeting—from U.S. government entities with geopolitical lures to India’s banking sector and now to South Korean and U.S. policy circles—demonstrates Mustang Panda’s adaptive and persistent nature in cyber espionage activities.
