Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Windows Device ID Used to Apprehend Scattered Spider Cybercriminal
July 7, 2026
Critical fast-mcp-telegram CVE-2023-4589 lets attackers access sensitive files
July 7, 2026
Top 10 Next-Generation Firewall Solutions for 2026
July 6, 2026
Home/Threats/Microsoft Signed Driver Used in LOTUSLITE Espionage Campaign
Threats

Microsoft Signed Driver Used in LOTUSLITE Espionage Campaign

Key Takeaways A state-sponsored threat actor, likely Mustang Panda, is targeting India’s banking sector and Korean geopolitical circles with a new variant of the LOTUSLITE backdoor. The...

Sarah simpson
Sarah simpson
April 22, 2026 3 Min Read
41 0

Key Takeaways

  • A state-sponsored threat actor, likely Mustang Panda, is targeting India’s banking sector and Korean geopolitical circles with a new variant of the LOTUSLITE backdoor.
  • The campaign leverages a legitimate, Microsoft-signed executable (Microsoft_DNX.exe) to perform DLL sideloading, bypassing traditional security defenses.
  • The LOTUSLITE backdoor provides persistent remote access, file operations, and shell capabilities, indicating espionage as the primary objective.
  • Defenders should focus on behavioral monitoring, application control, and scrutinize DLL loading from legitimate executables in user-writable directories.

A sophisticated state-aligned threat group has been observed conducting a targeted espionage campaign against India’s banking industry. This operation, characterized by its stealth and meticulous planning, exploits a legitimate, Microsoft-signed executable to deliver a new iteration of the LOTUSLITE backdoor, effectively evading common security measures.

Table Of Content

  • Key Takeaways
  • Infection Chain and DLL Sideloading
  • LOTUSLITE Backdoor and Espionage Objectives
  • Attribution and Broader Campaign Scope
  • What You Should Do

Instead of relying on overt and disruptive tactics, the attackers have adopted a slow, methodical approach, carefully embedding their malicious activities within typical system operations. This strategy aims to blend in, making detection significantly more challenging for defenders.

Infection Chain and DLL Sideloading

The attack initiates with a ZIP archive, crafted to appear relevant to India’s financial and banking sectors. Contained within this archive is a genuine Microsoft executable, Microsoft_DNX.exe, which is a legitimate developer tool formerly part of the ASP.NET Core framework. Alongside this trusted executable, attackers place a malicious Dynamic Link Library (DLL).

The core of the attack relies on a technique known as DLL sideloading. When Microsoft_DNX.exe is executed, it attempts to load a DLL by name without validating its authenticity or full file path. By placing a specially crafted malicious DLL with a matching filename in the same directory, the attackers ensure that the operating system loads their malicious file instead of the legitimate one. Windows then processes this malicious DLL as if it were a trusted component of the signed application, allowing the attacker’s code to run unimpeded.

LOTUSLITE Backdoor and Espionage Objectives

Analysts at the Acronis Threat Research Unit (TRU) identified this novel LOTUSLITE variant during their monitoring of malware campaigns linked to geopolitical events in West Asia. The implant showed strong thematic connections to Indian banking institutions, with activity peaking around March of this year. The TRU team highlighted the use of a Microsoft-signed executable as a deliberate method to bypass standard endpoint security checks, given that most security products inherently trust Microsoft-signed files and typically do not flag their execution.

Once established, the LOTUSLITE backdoor establishes communication with a dynamic DNS-based command-and-control (C2) server via HTTPS. This setup camouflages its traffic, making it appear as routine encrypted web communication. The backdoor is equipped with capabilities for remote shell access, file manipulation, and session management, providing the attackers with a persistent foothold on compromised systems. Its design, focused on information gathering and maintaining long-term access rather than causing immediate disruption, strongly indicates espionage as its primary objective.

Attribution and Broader Campaign Scope

Based on shared infrastructure patterns and operational characteristics, the TRU team assesses with moderate confidence that this activity cluster is linked to Mustang Panda, a China-backed advanced persistent threat (APT) group. The campaign also demonstrates connections to parallel operations targeting geopolitical circles in Korea. Researchers found the same LOTUSLITE infrastructure employed in campaigns referencing Korean policy and diplomatic communities. This suggests that the threat actor operates across multiple fronts, utilizing a consistent core toolset while adapting lure materials to suit specific target audiences, a pattern consistent with Mustang Panda’s established modus operandi.

The LOTUSLITE variant in this campaign also exhibits evolutionary changes, notably employing a different C2 magic value within its network packets. This modification helps it evade detection rules designed to identify older signatures.

What You Should Do

  • Implement stringent application control policies that restrict DLL loading to verified file paths, preventing malicious DLLs from being sideloaded.
  • Monitor for unusual DLL loading patterns originating from legitimate Microsoft executables, especially when these DLLs are located in user-writable directories.
  • Deploy advanced endpoint detection and response (EDR) solutions that focus on behavioral analysis rather than solely relying on file reputation.
  • Educate users about the risks of opening suspicious ZIP archives, even if they appear to contain legitimate files related to their industry.
  • Regularly audit and review network traffic for anomalous HTTPS connections, even if they appear to be standard web communication.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Microsoft Patches Critical .NET Elevation of Privilege Vulnerability CVE-2023-29337

Next Post

CrowdStrike LogScale Critical CVE-2023-40148 Lets Attackers Read Server Files

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Gentlemen Ransomware Exploits 21 Remote Execution Techniques
July 6, 2026
SilverFox Hackers Deploy Go RAT, AV Killer, Kernel Rootkit in ValleyRAT Campaign
July 6, 2026
OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us