LOTUSLITE attacks again and targets Indian banks with misleading CHM and side load of DLL

Security researchers have detected a new variant of a malware known as LOTUSLITE that is now distributed by a decoy oriented to the banking sector in India. According to the analysis published by Acronis specialists, the sample uses a Compied HTML (CHM) file as a point of entry and takes advantage of DLL side loading techniques to run a malicious component that sets encrypted communication with a dynamic DNS-based control and control server. In short, it is not a classic banking trojan but a tool designed for espionage and exfiltration. You can consult the researchers' work in the Acronis research section for more details: Acronis Research.

The modus operandi begins with a CHM that appears to contain legitimate documentation related to a financial institution. A valid executable and a manipulated DLL are inside the file. The embedded HTML page shows a dialog box that induces the user to press "Yes"; that seemingly harmless gesture triggers a chain of downloads that recovers a JavaScript script from a remote server identified by analysts and that is responsible for removing and running the malware included in the CHM. This combination - malicious CHM file, social engineering and side load of DLL - is a known but effective recipe when victims do not mistrust the apparently legitimate content. To better understand what CHM are and why they are an attractive vector, there is explanatory material in the public documentation about Compied HTML Help: Compiled HTML Help (Wikipedia).

DLL in this campaign, identified by researchers as "dnx.onecore.dll," is an evolved version of LOTUSLITE. It communicates about HTTPS with a control server that uses dynamic DNS to hide its infrastructure (the domains identified by Acronis include examples used during the operation). The backdoor offers capabilities that go beyond simple remote commands: it allows remote shell, file operations and session management, which points to sustained information collection objectives over time rather than direct fraud. The use of HTTPS channels for command and control traffic is a regular technique for camouflaging malicious telemetry under encrypted traffic; the technical classification of these tactics is collected in repositories such as MITRE ATT & CK ( T1071 - Application Layer Protocol).

The actor's background behind LOTUSLITE suggests an authorship attributed with a level of medium confidence to a group associated with China, known in the cybersecurity community as Mustang Panda. This set of actors had already been linked to campaigns directed against government and foreign policy entities, using lures related to geopolitical tensions. On this occasion, the novelty is the geographical and sectoral turn: the campaign maintains much of its operational "playbook," but it focuses mainly on the Indian banking sector, including by using references to institutions such as HDFC Bank to increase the credibility of the onions. For a general overview of this actor and his history, the public entry on Mustang Panda offers additional context: Mustang Panda (Wikipedia).

In addition to the focus in India, analysts have found signs of similar parts and baits for South Korea, particularly for political and diplomatic personnel on the Korean peninsula. According to the researchers, the attackers have also tried to supplant relevant figures in this area, sending lures through forged Gmail accounts and storing material on Google Drive to make it look legitimate and facilitate delivery. This type of combination - advanced social engineering, supplanting and building on confidence platforms - increases the likelihood that a recipient will download or run malicious content.

A striking aspect of the report is that authors continue to invest in malware enhancement: the new variant shows "incremental improvements" from previous versions, which shows active maintenance. This is not anecdotal: when an operator fixes errors, adds capabilities or refines its C2 infrastructure, its campaign becomes more dangerous and difficult to detect. For managers and security officials, recognizing that the threat is evolving is as important as detecting the current campaign.

What practical measures should be given priority in the face of such threats? The first barrier is the user's prudence of attachments and unexpected links: CHM are not a type of file that should normally be sent by mail, and any dialog that requests permission to run something should activate alerts. At the technical level, organizations should control binary execution from unreliable locations, apply policies that restrict the lateral load of DLL and monitor encrypted outputs to unusual domains and services. It is also essential to apply network segmentation and the principle of less privilege to limit the scope of any component that can be implemented. Microsoft and other suppliers have documented "DLL search order hijacking" techniques and mitigation that help you understand this kind of risk: DLL search order hijacking (Wikipedia).

Finally, early detection depends on both endpoint solutions with the ability to identify suspicious behaviors and good e-mail hygiene (filtering of suplantations and phishing protection), segmentation of cloud storage environments and continuous review of commitment indicators. Specialized publications and notices of incident response teams provide detection and mediation guides that should be reviewed on a regular basis. Keeping informed with reliable sources and sharing observable with the community helps to reduce the window of exposure to campaigns of a state nature and well-funded.

In short, the emergence of an updated version of LOTUSLITE focused on the Indian banking sector and with derivations to South Korea highlights three realities: persistent actors maintain and refine their tools; social engineering remains the main lever for opening doors; and defence requires combining user training, technical controls and constant monitoring. For those who manage security in organizations with interest in the region or in diplomatic fields, the recommendation is to review file type blocking settings (such as CHM), strengthen DLL execution policies and scale any unusual outgoing traffic to analysis centers for correlation.