Skip to content
Malware family

LOTUSLITE

LOTUSLITE is a custom Windows backdoor used in targeted cyber-espionage campaigns and repeatedly linked with moderate confidence to the China-aligned threat actor Mustang Panda.

Profile source: Mallory opens in a new tab

LOTUSLITE

Family profile

LOTUSLITE is a custom Windows backdoor used in targeted cyber-espionage campaigns and repeatedly linked with moderate confidence to the China-aligned threat actor Mustang Panda. Reported campaigns targeted U.S. government and policy-focused organizations using Venezuela-themed spear-phishing lures, India’s banking sector, and South Korean and U.S. diplomatic/policy communities. Delivery commonly relies on DLL sideloading with legitimate signed executables, including Tencent KuGou components and Microsoft-signed binaries such as Microsoft_DNX.exe; one reported chain also used a malicious CHM file containing a legitimate executable, rogue DLL, and HTML lure. Observed malicious DLL names include kugou.dll, dnx.onecore.dll, libmemobook.dll, and an AMPV.dll-impersonating DLL.

Across reporting, LOTUSLITE provides espionage-oriented remote access capabilities rather than banking fraud functionality. Documented functions include remote shell access via cmd.exe, remote command execution, file and directory enumeration, file manipulation and arbitrary file writing, session management/control, host profiling, beaconing, and data exfiltration. Multiple reports state it communicates with command-and-control over HTTPS or TCP/443 while masquerading as benign web traffic using spoofed headers such as forms.microsoft.com or Google-themed traffic. Reported infrastructure includes hardcoded or observed C2 endpoints 172.81.60.97, 103.79.77.181, editor.gleeze.com, and www.cosmosmusic.com.

Persistence mechanisms vary by campaign and version but include HKCU\Software\Microsoft\Windows\CurrentVersion\Run entries such as Lite360, ACboardCm, ASEdge, and DadaBank, along with dropped files and directories under C:\ProgramData\Technology360NB\, C:\ProgramData\Microsoft_DNX\, C:\ProgramData\CClipboardCm\, C:\ProgramData\WebFeatures\, and C:\ProgramData\SmartPrint\. Additional reported artifacts include mutexes Global\Technology360-A@P@T-Team and BelievemeIamMustang-Panda, launcher names such as DataTechnology.exe and SafeChrome.exe, and command protocol magic values including 0x8899AABB and 0xB2EBCFDF. Reported sample hashes include 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653 and 15b0f927bb43c6e3b9b002cbeac2faf6975e52503c32f039c8c4ecf6be600fdd, with additional campaign-linked hashes af31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec, cc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8, 7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d, 9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d, 18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893, and 6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135.

Reported operators

Threat actors

1 named in public reporting
Mustang Panda

The binary shares numerous similarities with the analysis published on May 13, 2026, titled “MustangPanda New Backdoor LotusLite”.

Exploited software

Vulnerabilities linked to LOTUSLITE

1 CVEs

MITRE ATT&CK

LOTUSLITE in ATT&CK

25 distinct techniques

Reporting

Research mentioning LOTUSLITE

Jun 30
Cyber Security News

Mustang Panda Abuses Zoho WorkDrive for Command-and-Control and Data Exfiltration

In April, Acronis also tied Mustang Panda to attacks on India’s banking sector and South Korean policy circles through a campaign using a tool called LOTUSLITE, also staged through a legitimate cloud service.

Jun 29
The Hacker News

Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks

In April, Acronis tied the group's LOTUSLITE backdoor to attacks on India's banking sector and South Korean policy circles, also staged through a legitimate cloud service.

Jun 9
Exatrack

Under the Hood - LotusLite: Believe me I am MustangPanda

The binary shares numerous similarities with the analysis published on May 13, 2026, titled “MustangPanda New Backdoor LotusLite”.

Apr 23
Gurucul Threat Research

Same Packet, Different Magic: Mustang Panda Hits India's Banking Sector and Korea Geopolitics | Community Portal | Gurucul

A new variant of the LOTUSLITE backdoor, attributed with moderate confidence to Mustang Panda, is targeting India’s banking sector using DLL sideloading with legitimate Microsoft-signed executables.

Apr 22
The Hacker News

Mustang Panda’s New LOTUSLITE Variant Targets India Banks, South Korea Policy Circles

Cybersecurity researchers have discovered a new variant of a known malware called LOTUSLITE that's distributed via a theme related to India's banking sector. "The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management, indicating a continued espionage-focused capability set rather than financially motivated objectives,"

Apr 22
Cyber Security News

Microsoft-Signed Binary Used to Sneak LOTUSLITE Into India-Focused Espionage Campaign - Cyber Security News

The campaign delivers a new version of the LOTUSLITE backdoor through a technique known as DLL sideloading... Once installed, the LOTUSLITE backdoor connects to a dynamic DNS-based command-and-control (C2) server over HTTPS...

Apr 22
Blueteamsec

Same packet, different magic: Mustang Panda hits India's banking sector and Korea geopolitics - Infosec.Pub

Acronis Threat Research Unit (TRU) identified a new variant of the LOTUSLITE backdoor with a theme related to India's banking sector, delivered via DLL sideloading using a legitimate Microsoft-signed executable.

Apr 21
Dark Reading

Chinese APT Targets Indian Banks, Korean Policy Circles

After persistence was established via the Windows Registry, victims were rewarded with a variant of LotusLite, a backdoor built and maintained by this particular threat cluster within Mustang Panda, which it uses to establish shells, access files, and perform other remote operations for espionage.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.