Security experts have revealed details of a new campaign targeting U.S. government and policy actors using politically-themed decoys to deliver a backdoor known as LOTUSLITE.
The targeted malware campaign utilizes decoys related to recent geopolitical developments between the United States and Venezuela to distribute a ZIP archive (“US deciding what’s next for Venezuela. zip”) containing a malicious DLL that is launched using DLL sideloading techniques. It is unclear whether this campaign was successful in compromising any of its targets.
This activity is believed with some confidence to be the work of a Chinese state-sponsored group known as Mustang Panda (also known as Earth Pret, HoneyMyte, and Twill Typhoon), citing tactical and infrastructure patterns. It is worth noting that this threat actor is known to rely extensively on DLL sideloading to launch backdoors such as TONESHELL.
“This campaign reflects a continuing trend of targeted spear phishing using geopolitical lures, favoring reliable execution techniques such as DLL sideloading over exploit-based initial access,” Acronis researchers Ilya Davchev and Subhajit Sinha said in an analysis.
The backdoor used in this attack (‘kugou.dll’), LOTUSLITE, is a custom-built C++ implant that uses the Windows WinHTTP API to communicate with a hard-coded command and control (C2) server, enabling beacon activity, remote tasks using ‘cmd.exe’, and data exfiltration. The complete list of supported commands is:
0x0A, Start remote CMD shell 0x0B, Exit remote shell 0x01, Send command via remote shell 0x06, Reset beacon state 0x03, Enumerate files in folder 0x0D, Create empty file 0x0E, Append data to file 0x0F, Get beacon status
LOTUSLITE can also be made persistent by modifying the Windows registry so that LOTUSLITE runs automatically every time a user logs into the system.
Acronis said the backdoor “mimics Claimloader’s fraudulent behavior by embedding provocative messages.” Claimloader is the name assigned to a DLL that is launched using DLL sideloading and is used to deploy PUBLOAD, another Mustang Panda tool. This malware was first documented by IBM X-Force in June 2025 in connection with a cyberespionage campaign targeting the Tibetan community.
“This campaign shows how effective simple, well-tested techniques can be when combined with targeted delivery and relevant geopolitical lures,” the Singaporean cybersecurity firm concluded. “Although the LOTUSLITE backdoor lacks sophisticated evasion capabilities, its use of DLL sideloading, reliable execution flows, and basic command and control functionality reflects a focus on operational reliability over sophistication.”
The revelations came as The New York Times published details of a cyberattack allegedly carried out by the United States to cut off power to most residents of the capital, Caracas, for several minutes ahead of a military operation to capture Venezuelan President Nicolas Maduro on January 3, 2026. mission
“Turning off power and jamming Caracas’ radar allowed a U.S. military helicopter to enter the country undetected on a mission to capture Venezuelan President Nicolás Maduro, who was taken to the United States on drug charges,” the Times reported.
“The attack left most of Caracas without power for several minutes, but some areas near the military base where Mr. Maduro was held remained without power for up to 36 hours.”
Source link
