LOTUSLITE (Malware Family)

LOTUSLITE

According to Acronis, LOTUSLITE is a custom C++ backdoor delivered via DLL sideloading, where a simple loader executable is used to load a malicious DLL that acts as the primary implant. It establishes persistence through filesystem changes and user-run registry entries, and communicates with a hard-coded command-and-control server over HTTP(S) using the Windows HTTP APIs and a custom binary protocol. The malware supports espionage-focused capabilities including system and user enumeration, spawning an interactive command shell with redirected I/O, directory listing, and file read/write operations. Its code shows relatively low development maturity and limited evasive features, emphasizing rapid deployment and operational reliability over sophisticated stealth.

References

2026-05-13 ⋅ 0x3oBAD ⋅ Abdullah Islam
MustangPanda New Backdoor LotusLite
LOTUSLITE

2026-04-22 ⋅ Secure Blink ⋅ Secure Blink
Mustang Panda Strikes India and South Korea with Updated LOTUSLITE Backdoor in Espionage Campaign
LOTUSLITE

2026-01-15 ⋅ Acronis ⋅ Ilia Dafchev, Subhajeet Singha
LOTUSLITE: Targeted espionage leveraging geopolitical themes
LOTUSLITE

There is no Yara-Signature yet.

LOTUSLITE Propose Change

References

LOTUSLITE