Ethical Hacking News
A new campaign has been discovered that targets U.S. policy entities using spear phishing tactics with a twist – politically themed lures. The attackers have used DLL side-loading techniques to deliver a sophisticated backdoor known as LOTUSLITE, which is capable of establishing persistence and exfiltrating data. The campaign is attributed to a Chinese state-sponsored group known as Mustang Panda. With heightened tensions between the U.S. and Venezuela, this development highlights the evolving nature of nation-state threats.
Chinese state-sponsored group Mustang Panda (aka Earth Pret, HoneyMyte, Twill Typhoon) targeted U.S. government and policy entities using politically themed lures to deliver a backdoor. The backdoor, LOTUSLITE, is a bespoke C++ implant that communicates with a hard-coded command-and-control server via Windows WinHTTP APIs. LOTUSLITE enables beaconing activity, remote tasking using cmd.exe, data exfiltration, and establishing persistence through Windows Registry modifications. The campaign uses DLL side-loading techniques to bypass certain security measures, such as those implemented by operating system vendors. Targeted malware campaign leverages decoys related to the U.S.-Venezuela geopolitical developments to distribute a ZIP archive containing malicious code.
In a recent development that sheds light on the evolving tactics, techniques, and procedures (TTPs) of Chinese state-sponsored groups, security experts have disclosed details of a new campaign that has targeted U.S. government and policy entities using politically themed lures to deliver a backdoor known as LOTUSLITE. The sophistication and intricacy of this campaign underscore the importance of ongoing vigilance and expertise in the realm of cybersecurity.
According to recent reports, the targeted malware campaign leverages decoys related to the recent geopolitical developments between the U.S. and Venezuela to distribute a ZIP archive ("US now deciding what's next for Venezuela.zip") containing a malicious DLL that's launched using DLL side-loading techniques. This technique is noteworthy because it allows the attackers to bypass certain security measures, such as those implemented by operating system vendors.
The campaign has been attributed with moderate confidence to a Chinese state-sponsored group known as Mustang Panda (aka Earth Pret, HoneyMyte, and Twill Typhoon), citing tactical and infrastructure patterns. It's worth noting that this threat actor is well-documented in the realm of cybersecurity for its extensive reliance on DLL side-loading to launch its backdoors, including TONESHELL.
The backdoor ("kugou.dll") employed in the attack, LOTUSLITE, is a bespoke C++ implant that's designed to communicate with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs to enable beaconing activity, remote tasking using "cmd.exe," and data exfiltration. The complete list of supported commands includes 0x0A, which initiates a remote CMD shell; 0x0B, which terminates the remote shell; 0x01, which sends commands via the remote shell; 0x06, which resets beacon state; 0x03, which enumerates files in a folder; 0x0D, which creates an empty file; and 0x0E, which appends data to a file. Additionally, LOTUSLITE is capable of establishing persistence by making Windows Registry modifications to ensure that it's automatically executed each time the user logs in to the system.
The campaign is notable for its use of politically themed lures, favoring reliable execution techniques such as DLL side-loading over exploit-based initial access. This approach allows the attackers to avoid some of the more advanced security measures implemented by U.S. government entities. Acronis researchers Ilia Dafchev and Subhajeet Singha said in an analysis that "This campaign reflects a continued trend of targeted spear phishing using geopolitical lures, favoring reliable execution techniques such as DLL side-loading over exploit-based initial access."
The recent disclosure comes amidst a backdrop of heightened tensions between the U.S. and Venezuela, with reports emerging of a purported cyber attack undertaken by the U.S. to disrupt electricity for most residents in the capital city of Caracas for a few minutes. It's worth noting that this alleged attack was part of a larger military operation aimed at capturing Venezuelan President Nicolás Maduro.
In an era where nation-state actors and other sophisticated threat actors are increasingly turning to targeted spear phishing campaigns as their preferred vectors, it is imperative that U.S. government entities and organizations exercising heightened vigilance in the face of these evolving threats. The LOTUSLITE backdoor campaign underscores the importance of robust cybersecurity measures and expertise.
Related Information:
https://www.ethicalhackingnews.com/articles/LOTUSLITE-A-Sophisticated-Backdoor-Campaign-Targeting-US-Policy-Entities-Through-Spear-Phishing-ehn.shtml
https://thehackernews.com/2026/01/lotuslite-backdoor-targets-us-policy.html
https://cybersecuritynews.com/earth-preta-hackers-new-tools-arsenal/
https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
https://www.darkreading.com/cybersecurity-operations/fbi-wraps-up-eradication-chinese-plugx-malware
https://techcrunch.com/2025/01/14/doj-confirms-fbi-operation-that-mass-deleted-chinese-malware-from-thousands-of-us-computers/
Published: Fri Jan 16 05:11:18 2026 by llama3.2 3B Q4_K_M
