-
Researchers found a new LOTUSLITE malware variant targeting India’s banking sector.
-
The backdoor enables remote shell access, file operations, and session management for espionage.
-
The same group also targeted South Korean and U.S. policy circles using fake Gmail accounts.
Cybersecurity researchers just spotted a new version of a known malware called LOTUSLITE. This time, it’s hiding inside a fake banking theme aimed at India.
The attacks aren’t about stealing money. They’re about spying on people and organizations.
A Geopolitical Pivot Toward India
Acronis Researchers Santiago Pontiroli and Subhajeet Singha examined a new variant of a malware strain called “3M1E”. According to them, this new variant uses HTTP Secure to communicate with its command and control (C&C) servers. That server uses a dynamic DNS address.
The malware gives attackers remote shell access. It also lets them manage files and control sessions. These are classic espionage features, not financial tools.
Previous LOTUSLITE attacks targeted U.S. government and policy groups. Those used decoys about U.S.-Venezuela relations. Some experts have associated these attacks with a Chinese-based advanced persistent threat (APT) known as Mustang Panda. The connection came with medium confidence.
Now the group has shifted focus. The new attacks mainly target India’s banking sector. But the attack playbook remains mostly the same.
The Attack Method
It starts with a Compiled HTML (CHM) file. That file hides several malicious parts. There’s a legitimate executable, a rogue DLL, and an HTML page with a pop-up.
The pop-up asks the user to click “Yes.” That click silently pulls a JavaScript malware from a remote server: cosmosmusic[.]com.
That JavaScript extracts and runs the hidden malware. It uses a technique called DLL side-loading. The rogue DLL is named dnx.onecore.dll. It’s an updated LOTUSLITE version.
This DLL then phones home to editor.gleeze[.]com. It waits for commands and sends back stolen data.
Broader Targets South Korea and U.S. Policy Circles
Researchers found similar attack tools aimed at South Korean targets. Specifically, people in policy and diplomatic circles.
Acronis believes the group went after South Korean and U.S. entities. These included people working on North Korea policy, Korean peninsula affairs, and Indo-Pacific security dialogues.
What stands out is the group’s widening focus. First, they hit U.S. government entities with geopolitical lures. Then they moved to India’s banking sector. Those Indian attacks used fake HDFC Bank references and pop-ups pretending to be banking software.
Now they’re targeting South Korean and U.S. policy circles. They impersonate a known figure in Korean peninsula diplomacy. They deliver the attack using spoofed Gmail accounts and Google Drive.
The malware keeps getting small upgrades. That means its operators actively maintain and improve it. It’s not a one-off tool. It’s a long-term espionage weapon. So far, no financial theft has been reported. The goal appears to be intelligence gathering.
The stealth techniques used in these LOTUSLITE attacks mirror those of Chinese state-backed hackers employing rootkits to hide their presence, a reminder that espionage campaigns are designed for persistence and stealth, allowing attackers to operate undetected for extended periods while gathering sensitive intelligence. Banks and policy experts should stay on high alert.
