Same packet, different magic: Hits India's banking sector and Korea geopolitics
A new variant of the LOTUSLITE backdoor, version 1.1, has been identified targeting India's banking sector and South Korean diplomatic circles. The backdoor is delivered via DLL sideloading using legitimate Microsoft-signed executables and initially through CHM files containing malicious JavaScript. It communicates with dynamic DNS-based command-and-control servers over HTTPS, supporting remote shell access, file operations and session management. Code-level analysis reveals direct lineage to LOTUSLITE v1.0, including identical command structures, shared persistence mechanisms, and residual exports from the original codebase. The campaign demonstrates incremental improvements including updated magic values, API resolution techniques, and delivery mechanisms evolving from CHM-based to JavaScript loaders to DLL sideloading. Infrastructure hosted under Dynu Systems shows continuity with previous operations.
AI Analysis
Technical Summary
The LOTUSLITE backdoor version 1.1 is a malware variant targeting sensitive sectors in India and South Korea. It is delivered primarily via DLL sideloading using legitimate Microsoft-signed executables, initially through CHM files with embedded malicious JavaScript. The backdoor communicates with its command-and-control infrastructure using dynamic DNS over HTTPS, enabling attackers to perform remote shell commands, file operations, and manage sessions on compromised systems. Code analysis confirms it retains command structures and persistence mechanisms from LOTUSLITE v1.0 but includes enhancements such as updated magic values and API resolution techniques. The campaign infrastructure remains hosted under Dynu Systems, showing continuity with previous LOTUSLITE operations. The threat actor behind this campaign is identified as MUSTANG PANDA. There is no CVE or patch information available, and no confirmed exploitation in the wild has been reported.
Potential Impact
The backdoor enables attackers to gain persistent remote shell access and perform file operations on compromised systems within India's banking sector and South Korean diplomatic circles, facilitating espionage and unauthorized data access or manipulation. The use of DLL sideloading with legitimate Microsoft-signed executables and evolving delivery mechanisms complicates detection and mitigation efforts. However, no confirmed active exploitation or widespread impact has been reported so far.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for indicators of compromise including the provided IP addresses, domains, and file hashes. Restricting or monitoring the use of CHM files and DLL sideloading behaviors can reduce risk. Employ application whitelisting and verify the integrity of Microsoft-signed executables to detect potential sideloading attempts. No official fix or vendor advisory has been provided at this time.
Indicators of Compromise
- ip: 172.81.60.97
- domain: editor.gleeze.com
- hash: 5abac6560eeb77f71e4cd2e1b33d973e
- hash: 1ffd797a49df270494b8cb2d2d0d679387fbd44a
- hash: 18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893
- hash: 6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135
- hash: 7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d
- hash: 9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d
- hash: af31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec
- hash: cc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8
- domain: cosmosmusic.com
- domain: www.cosmosmusic.com
Same packet, different magic: Hits India's banking sector and Korea geopolitics
Description
A new variant of the LOTUSLITE backdoor, version 1.1, has been identified targeting India's banking sector and South Korean diplomatic circles. The backdoor is delivered via DLL sideloading using legitimate Microsoft-signed executables and initially through CHM files containing malicious JavaScript. It communicates with dynamic DNS-based command-and-control servers over HTTPS, supporting remote shell access, file operations and session management. Code-level analysis reveals direct lineage to LOTUSLITE v1.0, including identical command structures, shared persistence mechanisms, and residual exports from the original codebase. The campaign demonstrates incremental improvements including updated magic values, API resolution techniques, and delivery mechanisms evolving from CHM-based to JavaScript loaders to DLL sideloading. Infrastructure hosted under Dynu Systems shows continuity with previous operations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The LOTUSLITE backdoor version 1.1 is a malware variant targeting sensitive sectors in India and South Korea. It is delivered primarily via DLL sideloading using legitimate Microsoft-signed executables, initially through CHM files with embedded malicious JavaScript. The backdoor communicates with its command-and-control infrastructure using dynamic DNS over HTTPS, enabling attackers to perform remote shell commands, file operations, and manage sessions on compromised systems. Code analysis confirms it retains command structures and persistence mechanisms from LOTUSLITE v1.0 but includes enhancements such as updated magic values and API resolution techniques. The campaign infrastructure remains hosted under Dynu Systems, showing continuity with previous LOTUSLITE operations. The threat actor behind this campaign is identified as MUSTANG PANDA. There is no CVE or patch information available, and no confirmed exploitation in the wild has been reported.
Potential Impact
The backdoor enables attackers to gain persistent remote shell access and perform file operations on compromised systems within India's banking sector and South Korean diplomatic circles, facilitating espionage and unauthorized data access or manipulation. The use of DLL sideloading with legitimate Microsoft-signed executables and evolving delivery mechanisms complicates detection and mitigation efforts. However, no confirmed active exploitation or widespread impact has been reported so far.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for indicators of compromise including the provided IP addresses, domains, and file hashes. Restricting or monitoring the use of CHM files and DLL sideloading behaviors can reduce risk. Employ application whitelisting and verify the integrity of Microsoft-signed executables to detect potential sideloading attempts. No official fix or vendor advisory has been provided at this time.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.acronis.com/en/tru/posts/same-packet-different-magic-mustang-panda-hits-indias-banking-sector-and-korea-geopolitics/"]
- Adversary
- MUSTANG PANDA
- Pulse Id
- 69e827168edcf67707285b4e
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip172.81.60.97 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaineditor.gleeze.com | — | |
domaincosmosmusic.com | — | |
domainwww.cosmosmusic.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash5abac6560eeb77f71e4cd2e1b33d973e | — | |
hash1ffd797a49df270494b8cb2d2d0d679387fbd44a | — | |
hash18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893 | — | |
hash6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135 | — | |
hash7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d | — | |
hash9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d | — | |
hashaf31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec | — | |
hashcc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8 | — |
Threat ID: 69e88ad519fe3cd2cd81f4fb
Added to database: 4/22/2026, 8:46:13 AM
Last enriched: 5/26/2026, 7:54:08 PM
Last updated: 6/7/2026, 12:44:57 AM
Views: 178
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.