Threat Research

LOTUSLITE: Targeted espionage leveraging geopolitical themes

Acronis
LOTUSLITE: Targeted espionage leveraging geopolitical themes

Acronis TRU identified a targeted campaign delivering a DLL-sideloaded backdoor, tracked as LOTUSLITE, via a politically themed ZIP archive aimed at U.S. government and policy-related entities. The implant uses a simple loader/DLL execution chain, hard-coded IP-based C2, basic persistence via a Run key and ProgramData directory, and shows behavioral overlaps with Mustang Panda. #LOTUSLITE #MustangPanda

Keypoints

  • Threat actors delivered a loader executable inside a politically themed ZIP archive that sideloads a malicious DLL (kugou.dll) to execute the LOTUSLITE backdoor.
  • LOTUSLITE is a custom C++ implant that beacons to a hard-coded IP-based C2 (172[.]81[.]60[.]97) over TCP/443 using WinHTTP and a small custom packet framing protocol (magic header 0x8899AABB).
  • The backdoor provides espionage-focused capabilities: interactive cmd.exe shell with redirected I/O, file enumeration and manipulation, basic system enumeration, and status/beacon reporting.
  • Persistence is achieved by creating C:ProgramDataTechnology360NB, renaming the launcher to DataTechnology.exe with a –DATA argument, and adding a Current User Run registry entry named Lite360; a mutex (GlobalTechnology360-A@P@T-Team) is used by the implant.
  • Loader demonstrates low development maturity (minimal error handling, limited evasion), suggesting rapid operational deployment; attribution to Mustang Panda is assessed at moderate confidence based on tradecraft, delivery style, and infrastructure overlap.
  • Observed infrastructure includes a domain/hostname resolving to unassigned.172-81-60-97[.]spryt[.]net hosted in Phoenix, AZ (ASN AS398019), and repeated beaconing indicates active C2 usage despite the campaign’s limited scale.

MITRE Techniques

  • [T1566.001 ] Spearphishing Attachment – Delivered the malicious loader inside a politically themed ZIP archive used for targeted spearphishing. (‘a spear phishing archive named US now deciding what’s next for Venezuela.zip’)
  • [T1574.002 ] DLL Side-Loading – The legitimate launcher loads a hidden malicious DLL via LoadLibraryW/GetProcAddress to execute implant code without using the import table. (‘it explicitly loads the malicious DLL using LoadLibraryW and resolves the exported function via GetProcAddress’)
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The backdoor creates an interactive cmd.exe shell with redirected standard I/O to enable remote command execution and output retrieval. (‘creation of an interactive cmd.exe shell with redirected standard I/O over anonymous pipes’)
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence is established by creating a ProgramData directory, renaming the launcher to DataTechnology.exe and adding a Run key entry named Lite360. (‘uses the SHSetValueA API to create a registry entry under the current user’s Run key … under the value named Lite360’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The implant uses WinHTTP to send HTTP POST requests (over TCP/443) with crafted headers (Googlebot UA, Google referrer, Microsoft Host) to blend C2 traffic with normal web traffic. (‘uses a Googlebot User-Agent string, sets the referrer to Google, and presents the Host header as a Microsoft domain’)
  • [T1082 ] System Information Discovery – The implant enumerates machine information using APIs such as GetComputerName as part of initial enumeration. (‘enumerates the names of the machine … using APIs such as GetComputerName’)
  • [T1033 ] System Owner/User Discovery – The implant collects the target username using GetUserName as part of its reconnaissance. (‘enumerates the names of the machine, along with the target’s username using APIs such as GetComputerName and GetUserName’)

Indicators of Compromise

  • [SHA256 ] Delivered sample hashes – Maduro to be taken to New York.exe: 819f586ca65395bdd191a21e9b4f3281159f9826e4de0e908277518dba809e5b, kugou.dll: 2c34b47ee7d271326cfff9701377277b05ec4654753b31c89be622e80d225250
  • [File names ] Malicious components observed in archive – Maduro to be taken to New York.exe, kugou.dll
  • [Persistence paths ] Local persistence artifacts – C:ProgramDataTechnology360NB, DataTechnology.exe (renamed launcher)
  • [Mutex ] In-memory/single-instance marker – GlobalTechnology360-A@P@T-Team
  • [C2 IPs ] Command-and-control infrastructure – 172[.]81[.]60[.]97 (primary observed C2), 172[.]81[.]60[.]87 (additional observed endpoint)
  • [Domains/Hosts ] Hostname associated with C2 – unassigned.172-81-60-97[.]spryt[.]net (Phoenix, AZ; ASN AS398019)

Read more: https://www.acronis.com/en/tru/posts/lotuslite-targeted-espionage-leveraging-geopolitical-themes/