A newly discovered cyber espionage campaign is targeting the Indian banking sector with an updated version of the LOTUSLITE backdoor, marking a shift from the malware’s earlier focus on government entities and prompting fresh concern over how threat actors are adapting their methods for financial targets.
Researchers at the Acronis Threat Research Unit attributed the campaign with moderate confidence to Mustang Panda, citing shared code, infrastructure and operational patterns. The operation begins with a spear-phishing email carrying a Compiled HTML file disguised as a routine IT support ticket and named “Request for Support.chm”, designed to trick employees in corporate and banking environments into opening it.
Phishing Entry and Silent Deployment
Once opened, the file displays a malicious pop-up while quietly downloading a JavaScript file from a remote server. That script then drives the next phase of the intrusion by extracting a legitimate Microsoft-signed executable together with a hidden malicious payload onto the victim’s machine.
To bypass security software, the attackers rely on DLL sideloading. The script extracts a legitimate developer tool, Microsoft_DNX.exe, which carries a valid Microsoft digital signature and is generally trusted by security products. But the older tool contains a flaw: it loads supporting DLL files by name without verifying their authenticity or exact location.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Backdoor Updated for Banking Targets
The attackers exploit that weakness by placing their own malicious DLL, identified as the LOTUSLITE backdoor, in the same folder. When the Microsoft binary runs, it loads the malware without recognising it as malicious, giving the attackers stealthy access to the system.
In the latest campaign, the developers introduced several updates intended to make LOTUSLITE harder to detect. The malware now uses 22 export functions instead of 16, and its main entry point has been updated to route through a new function called “HDFCBankMain”, directly referencing a major Indian financial institution.
Operational Mistakes Leave a Trail
Even as the developers improved their Acronis evasion tactics, researchers found a series of operational security mistakes that helped connect the campaign to earlier activity. The attackers left behind a function called “KugouMain”, apparently a remnant from a previous campaign that used a Tencent music application for sideloading.
The malware also continues to communicate with the same dynamic DNS provider used in previous attacks, making its infrastructure easier to track. Researchers said the developers even included a mocking pop-up message referring to an independent security researcher who has tracked their activities, suggesting they were aware they were being monitored while continuing to leave clues behind.
