Cybersecurity researchers have revealed a new malware campaign aimed at U.S. government and policy organizations, using politically themed lures to deliver a backdoor called LOTUSLITE.
The campaign exploits geopolitical tensions between the U.S. and Venezuela. Attackers distributed a ZIP archive named “US now deciding what’s next for Venezuela.zip”, which contains a malicious DLL. This DLL is executed through DLL side-loading, a reliable technique that avoids exploit-based access. At this stage, it is unclear if any targets were compromised.
Moderate confidence links the activity to the Chinese state-sponsored group Mustang Panda (also known as Earth Pret, HoneyMyte, and Twill Typhoon), based on tactics and infrastructure. Mustang Panda is known for using DLL side-loading to launch backdoors such as TONESHELL.
“This campaign highlights a continued trend of targeted spear phishing using geopolitical lures, favoring robust execution methods like DLL side-loading instead of exploiting vulnerabilities,” said Acronis researchers Ilia Dafchev and Subhajeet Singha.
The backdoor, kugou.dll, is a custom C++ implant. It communicates with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs. LOTUSLITE supports remote tasking through cmd.exe, beaconing activity, and data exfiltration. Supported commands include:
- 0x0A: Initiate remote CMD shell
- 0x0B: Terminate remote shell
- 0x01: Send commands via remote shell
- 0x06: Reset beacon state
- 0x03: Enumerate files in a folder
- 0x0D: Create empty file
- 0x0E: Append data to file
- 0x0F: Retrieve beacon status
LOTUSLITE ensures persistence by modifying the Windows Registry so it runs automatically when a user logs in.
Acronis noted that the malware mimics techniques used by Claimloader, which employs DLL side-loading to deploy Mustang Panda’s PUBLOAD tool. Claimloader was first documented by IBM X-Force in June 2025 during a cyber espionage campaign targeting the Tibetan community.
“This attack shows that simple, well-tested methods remain effective when combined with targeted delivery and geopolitical lures,” said the Singapore-based security firm. “Even without advanced evasion, LOTUSLITE focuses on operational reliability through DLL side-loading and basic C2 functions.”
The disclosure coincides with The New York Times reporting on a U.S. cyber operation that briefly disrupted electricity in Caracas before the January 3, 2026, military mission capturing Venezuelan President Nicolás Maduro. Power outages affected most residents for minutes, while some areas near the military base lost electricity for up to 36 hours.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
