Same packet, different magic: Hits India's banking sector and Korea geopolitics
A new variant of the LOTUSLITE backdoor, version 1.1, has been identified targeting India's banking sector and South Korean diplomatic circles. The backdoor is delivered via DLL sideloading using legitimate Microsoft-signed executables and initially through CHM files containing malicious JavaScript. It communicates with dynamic DNS-based command-and-control servers over HTTPS, supporting remote shell access, file operations and session management. Code-level analysis reveals direct lineage to LOTUSLITE v1.0, including identical command structures, shared persistence mechanisms, and residual exports from the original codebase. The campaign demonstrates incremental improvements including updated magic values, API resolution techniques, and delivery mechanisms evolving from CHM-based to JavaScript loaders to DLL sideloading. Infrastructure hosted under Dynu Systems shows continuity with previous operations.
AI Analysis
Technical Summary
The LOTUSLITE backdoor version 1.1 is a malware variant targeting sensitive sectors in India and South Korea, delivered via DLL sideloading with legitimate Microsoft-signed executables and initially through CHM files with malicious JavaScript. It maintains command structures and persistence mechanisms from LOTUSLITE v1.0 but includes enhancements such as updated magic values and API resolution techniques. Communication with command-and-control servers uses dynamic DNS over HTTPS, enabling remote shell, file operations, and session management. The campaign infrastructure shows continuity with previous LOTUSLITE operations hosted under Dynu Systems. The threat actor identified is MUSTANG PANDA. There is no CVE or patch information available, and no known exploits in the wild have been reported.
Potential Impact
The backdoor provides attackers with remote shell access, file operation capabilities, and session management on compromised systems within India's banking sector and South Korean diplomatic circles. This enables espionage activities and potential unauthorized data access or manipulation. The use of DLL sideloading with legitimate Microsoft-signed executables and evolving delivery mechanisms increases the difficulty of detection. However, no confirmed exploitation in the wild has been reported to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for indicators of compromise such as the provided IP addresses, domains, and file hashes. Given the delivery methods, restricting or monitoring CHM file usage and DLL sideloading behaviors may reduce risk. Employ application whitelisting and verify the integrity of Microsoft-signed executables to detect sideloading attempts. No official fix or vendor advisory has been provided at this time.
Indicators of Compromise
- ip: 172.81.60.97
- domain: editor.gleeze.com
- hash: 5abac6560eeb77f71e4cd2e1b33d973e
- hash: 1ffd797a49df270494b8cb2d2d0d679387fbd44a
- hash: 18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893
- hash: 6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135
- hash: 7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d
- hash: 9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d
- hash: af31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec
- hash: cc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8
- domain: cosmosmusic.com
- domain: www.cosmosmusic.com
Same packet, different magic: Hits India's banking sector and Korea geopolitics
Description
A new variant of the LOTUSLITE backdoor, version 1.1, has been identified targeting India's banking sector and South Korean diplomatic circles. The backdoor is delivered via DLL sideloading using legitimate Microsoft-signed executables and initially through CHM files containing malicious JavaScript. It communicates with dynamic DNS-based command-and-control servers over HTTPS, supporting remote shell access, file operations and session management. Code-level analysis reveals direct lineage to LOTUSLITE v1.0, including identical command structures, shared persistence mechanisms, and residual exports from the original codebase. The campaign demonstrates incremental improvements including updated magic values, API resolution techniques, and delivery mechanisms evolving from CHM-based to JavaScript loaders to DLL sideloading. Infrastructure hosted under Dynu Systems shows continuity with previous operations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The LOTUSLITE backdoor version 1.1 is a malware variant targeting sensitive sectors in India and South Korea, delivered via DLL sideloading with legitimate Microsoft-signed executables and initially through CHM files with malicious JavaScript. It maintains command structures and persistence mechanisms from LOTUSLITE v1.0 but includes enhancements such as updated magic values and API resolution techniques. Communication with command-and-control servers uses dynamic DNS over HTTPS, enabling remote shell, file operations, and session management. The campaign infrastructure shows continuity with previous LOTUSLITE operations hosted under Dynu Systems. The threat actor identified is MUSTANG PANDA. There is no CVE or patch information available, and no known exploits in the wild have been reported.
Potential Impact
The backdoor provides attackers with remote shell access, file operation capabilities, and session management on compromised systems within India's banking sector and South Korean diplomatic circles. This enables espionage activities and potential unauthorized data access or manipulation. The use of DLL sideloading with legitimate Microsoft-signed executables and evolving delivery mechanisms increases the difficulty of detection. However, no confirmed exploitation in the wild has been reported to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor for indicators of compromise such as the provided IP addresses, domains, and file hashes. Given the delivery methods, restricting or monitoring CHM file usage and DLL sideloading behaviors may reduce risk. Employ application whitelisting and verify the integrity of Microsoft-signed executables to detect sideloading attempts. No official fix or vendor advisory has been provided at this time.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.acronis.com/en/tru/posts/same-packet-different-magic-mustang-panda-hits-indias-banking-sector-and-korea-geopolitics/"]
- Adversary
- MUSTANG PANDA
- Pulse Id
- 69e827168edcf67707285b4e
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip172.81.60.97 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaineditor.gleeze.com | — | |
domaincosmosmusic.com | — | |
domainwww.cosmosmusic.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash5abac6560eeb77f71e4cd2e1b33d973e | — | |
hash1ffd797a49df270494b8cb2d2d0d679387fbd44a | — | |
hash18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893 | — | |
hash6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135 | — | |
hash7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d | — | |
hash9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d | — | |
hashaf31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec | — | |
hashcc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8 | — |
Threat ID: 69e88ad519fe3cd2cd81f4fb
Added to database: 4/22/2026, 8:46:13 AM
Last enriched: 4/22/2026, 9:02:33 AM
Last updated: 4/23/2026, 1:06:02 AM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.