Security experts have disclosed a new cyber espionage campaign targeting U.S. government and policy entities through politically themed spear phishing designed to deliver a backdoor known as LOTUSLITE. The attackers used decoy files related to U.S.-Venezuela relations, including a ZIP archive titled “US now deciding what’s next for Venezuela.zip,” which contained a malicious DLL deployed via DLL side-loading. While it remains unclear whether the campaign successfully compromised any targets, the malware demonstrates how state-sponsored actors continue to leverage reliable, low-complexity techniques to gain access to sensitive systems.
The campaign has been attributed with moderate confidence to the Chinese state-sponsored group Mustang Panda, also known by aliases Earth Pret, HoneyMyte, and Twill Typhoon. Researchers note that the group has historically relied on DLL side-loading to deploy backdoors, including its previous TONESHELL implant. The LOTUSLITE malware, delivered through the ZIP archive as kugou.dll, is a bespoke C++ implant that communicates with a hard-coded command-and-control server using Windows WinHTTP APIs. The backdoor supports multiple commands, allowing attackers to initiate a remote CMD shell, send commands, enumerate files, append or create files, reset beacon state, and check beacon status. To maintain persistence, LOTUSLITE modifies the Windows Registry to ensure automatic execution at each system startup.
Analysts from Acronis highlighted that LOTUSLITE mimics behavioral patterns observed in Claimloader, another DLL side-loading malware previously used to deploy PUBLOAD, a Mustang Panda tool. Although LOTUSLITE does not employ advanced evasion techniques, its reliance on well-tested execution methods, targeted delivery, and geopolitical lures reflects a focus on operational reliability over sophistication. The malware’s functionality allows attackers to exfiltrate data and maintain control over compromised systems while remaining difficult to detect due to the simplicity and reliability of DLL side-loading.
The disclosure of this campaign coincides with reports from The New York Times regarding a recent U.S. military operation in Venezuela. According to the publication, U.S. forces briefly disrupted electricity for much of Caracas ahead of a mission to capture President Nicolás Maduro, who was subsequently transported to the United States on drug-related charges. While no direct link between LOTUSLITE and this operation has been confirmed, the timing and geopolitical context suggest that threat actors continue to exploit current events to increase the likelihood of successful targeting. Security researchers warn organizations to remain vigilant against politically themed spear phishing, particularly campaigns using established malware delivery methods like DLL side-loading, to protect sensitive policy-related networks and prevent unauthorized data access.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
