Microsoft Signed Driver Used in LOTUSLITE Espionage Campaign
Key Takeaways A state-sponsored threat actor, likely Mustang Panda, is targeting India’s banking sector and Korean geopolitical circles with a new variant of the LOTUSLITE backdoor. The...
Key Takeaways
- A state-sponsored threat actor, likely Mustang Panda, is targeting India’s banking sector and Korean geopolitical circles with a new variant of the LOTUSLITE backdoor.
- The campaign leverages a legitimate, Microsoft-signed executable (Microsoft_DNX.exe) to perform DLL sideloading, bypassing traditional security defenses.
- The LOTUSLITE backdoor provides persistent remote access, file operations, and shell capabilities, indicating espionage as the primary objective.
- Defenders should focus on behavioral monitoring, application control, and scrutinize DLL loading from legitimate executables in user-writable directories.
A sophisticated state-aligned threat group has been observed conducting a targeted espionage campaign against India’s banking industry. This operation, characterized by its stealth and meticulous planning, exploits a legitimate, Microsoft-signed executable to deliver a new iteration of the LOTUSLITE backdoor, effectively evading common security measures.
Table Of Content
Instead of relying on overt and disruptive tactics, the attackers have adopted a slow, methodical approach, carefully embedding their malicious activities within typical system operations. This strategy aims to blend in, making detection significantly more challenging for defenders.
Infection Chain and DLL Sideloading
The attack initiates with a ZIP archive, crafted to appear relevant to India’s financial and banking sectors. Contained within this archive is a genuine Microsoft executable, Microsoft_DNX.exe, which is a legitimate developer tool formerly part of the ASP.NET Core framework. Alongside this trusted executable, attackers place a malicious Dynamic Link Library (DLL).
The core of the attack relies on a technique known as DLL sideloading. When Microsoft_DNX.exe is executed, it attempts to load a DLL by name without validating its authenticity or full file path. By placing a specially crafted malicious DLL with a matching filename in the same directory, the attackers ensure that the operating system loads their malicious file instead of the legitimate one. Windows then processes this malicious DLL as if it were a trusted component of the signed application, allowing the attacker’s code to run unimpeded.
LOTUSLITE Backdoor and Espionage Objectives
Analysts at the Acronis Threat Research Unit (TRU) identified this novel LOTUSLITE variant during their monitoring of malware campaigns linked to geopolitical events in West Asia. The implant showed strong thematic connections to Indian banking institutions, with activity peaking around March of this year. The TRU team highlighted the use of a Microsoft-signed executable as a deliberate method to bypass standard endpoint security checks, given that most security products inherently trust Microsoft-signed files and typically do not flag their execution.
Once established, the LOTUSLITE backdoor establishes communication with a dynamic DNS-based command-and-control (C2) server via HTTPS. This setup camouflages its traffic, making it appear as routine encrypted web communication. The backdoor is equipped with capabilities for remote shell access, file manipulation, and session management, providing the attackers with a persistent foothold on compromised systems. Its design, focused on information gathering and maintaining long-term access rather than causing immediate disruption, strongly indicates espionage as its primary objective.
Attribution and Broader Campaign Scope
Based on shared infrastructure patterns and operational characteristics, the TRU team assesses with moderate confidence that this activity cluster is linked to Mustang Panda, a China-backed advanced persistent threat (APT) group. The campaign also demonstrates connections to parallel operations targeting geopolitical circles in Korea. Researchers found the same LOTUSLITE infrastructure employed in campaigns referencing Korean policy and diplomatic communities. This suggests that the threat actor operates across multiple fronts, utilizing a consistent core toolset while adapting lure materials to suit specific target audiences, a pattern consistent with Mustang Panda’s established modus operandi.
The LOTUSLITE variant in this campaign also exhibits evolutionary changes, notably employing a different C2 magic value within its network packets. This modification helps it evade detection rules designed to identify older signatures.
What You Should Do
- Implement stringent application control policies that restrict DLL loading to verified file paths, preventing malicious DLLs from being sideloaded.
- Monitor for unusual DLL loading patterns originating from legitimate Microsoft executables, especially when these DLLs are located in user-writable directories.
- Deploy advanced endpoint detection and response (EDR) solutions that focus on behavioral analysis rather than solely relying on file reputation.
- Educate users about the risks of opening suspicious ZIP archives, even if they appear to contain legitimate files related to their industry.
- Regularly audit and review network traffic for anomalous HTTPS connections, even if they appear to be standard web communication.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.