The binary shares numerous similarities with the analysis published on May 13, 2026, titled “MustangPanda New Backdoor LotusLite”.
LOTUSLITE
LOTUSLITE is a custom Windows backdoor used in targeted cyber-espionage campaigns and repeatedly linked with moderate confidence to the China-aligned threat actor Mustang Panda.
Profile source: Mallory opens in a new tabLOTUSLITE
Family profile
LOTUSLITE is a custom Windows backdoor used in targeted cyber-espionage campaigns and repeatedly linked with moderate confidence to the China-aligned threat actor Mustang Panda. Reported campaigns targeted U.S. government and policy-focused organizations using Venezuela-themed spear-phishing lures, India’s banking sector, and South Korean and U.S. diplomatic/policy communities. Delivery commonly relies on DLL sideloading with legitimate signed executables, including Tencent KuGou components and Microsoft-signed binaries such as Microsoft_DNX.exe; one reported chain also used a malicious CHM file containing a legitimate executable, rogue DLL, and HTML lure. Observed malicious DLL names include kugou.dll, dnx.onecore.dll, libmemobook.dll, and an AMPV.dll-impersonating DLL.
Across reporting, LOTUSLITE provides espionage-oriented remote access capabilities rather than banking fraud functionality. Documented functions include remote shell access via cmd.exe, remote command execution, file and directory enumeration, file manipulation and arbitrary file writing, session management/control, host profiling, beaconing, and data exfiltration. Multiple reports state it communicates with command-and-control over HTTPS or TCP/443 while masquerading as benign web traffic using spoofed headers such as forms.microsoft.com or Google-themed traffic. Reported infrastructure includes hardcoded or observed C2 endpoints 172.81.60.97, 103.79.77.181, editor.gleeze.com, and www.cosmosmusic.com.
Persistence mechanisms vary by campaign and version but include HKCU\Software\Microsoft\Windows\CurrentVersion\Run entries such as Lite360, ACboardCm, ASEdge, and DadaBank, along with dropped files and directories under C:\ProgramData\Technology360NB\, C:\ProgramData\Microsoft_DNX\, C:\ProgramData\CClipboardCm\, C:\ProgramData\WebFeatures\, and C:\ProgramData\SmartPrint\. Additional reported artifacts include mutexes Global\Technology360-A@P@T-Team and BelievemeIamMustang-Panda, launcher names such as DataTechnology.exe and SafeChrome.exe, and command protocol magic values including 0x8899AABB and 0xB2EBCFDF. Reported sample hashes include 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653 and 15b0f927bb43c6e3b9b002cbeac2faf6975e52503c32f039c8c4ecf6be600fdd, with additional campaign-linked hashes af31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec, cc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8, 7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d, 9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d, 18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893, and 6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135.
Reported operators
Threat actors
1 named in public reportingExploited software
Vulnerabilities linked to LOTUSLITE
1 CVEsMITRE ATT&CK
LOTUSLITE in ATT&CK
25 distinct techniquesTechniques
25 techniquesReporting
Research mentioning LOTUSLITE
Mustang Panda Abuses Zoho WorkDrive for Command-and-Control and Data Exfiltration
In April, Acronis also tied Mustang Panda to attacks on India’s banking sector and South Korean policy circles through a campaign using a tool called LOTUSLITE, also staged through a legitimate cloud service.
Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks
In April, Acronis tied the group's LOTUSLITE backdoor to attacks on India's banking sector and South Korean policy circles, also staged through a legitimate cloud service.
Under the Hood - LotusLite: Believe me I am MustangPanda
The binary shares numerous similarities with the analysis published on May 13, 2026, titled “MustangPanda New Backdoor LotusLite”.
Same Packet, Different Magic: Mustang Panda Hits India's Banking Sector and Korea Geopolitics | Community Portal | Gurucul
A new variant of the LOTUSLITE backdoor, attributed with moderate confidence to Mustang Panda, is targeting India’s banking sector using DLL sideloading with legitimate Microsoft-signed executables.
Mustang Panda’s New LOTUSLITE Variant Targets India Banks, South Korea Policy Circles
Cybersecurity researchers have discovered a new variant of a known malware called LOTUSLITE that's distributed via a theme related to India's banking sector. "The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management, indicating a continued espionage-focused capability set rather than financially motivated objectives,"
Microsoft-Signed Binary Used to Sneak LOTUSLITE Into India-Focused Espionage Campaign - Cyber Security News
The campaign delivers a new version of the LOTUSLITE backdoor through a technique known as DLL sideloading... Once installed, the LOTUSLITE backdoor connects to a dynamic DNS-based command-and-control (C2) server over HTTPS...
Same packet, different magic: Mustang Panda hits India's banking sector and Korea geopolitics - Infosec.Pub
Acronis Threat Research Unit (TRU) identified a new variant of the LOTUSLITE backdoor with a theme related to India's banking sector, delivered via DLL sideloading using a legitimate Microsoft-signed executable.
Chinese APT Targets Indian Banks, Korean Policy Circles
After persistence was established via the Windows Registry, victims were rewarded with a variant of LotusLite, a backdoor built and maintained by this particular threat cluster within Mustang Panda, which it uses to establish shells, access files, and perform other remote operations for espionage.