News and Analysis

A state-linked threat group has been caught running a quiet but carefully planned espionage operation against India’s banking sector, using a trusted Microsoft-signed file to slip malware past security defenses.

The campaign delivers a new version of the LOTUSLITE backdoor through a technique known as DLL sideloading, which exploits the trust that operating systems place in legitimate executables.

Instead of loud, disruptive methods, the threat actor moved slowly, blending malicious activity into normal system behavior.

The attack begins with a ZIP archive themed around India’s banking and financial sector. Inside the archive sits a legitimate Microsoft executable called Microsoft_DNX.exe, a real developer tool that was once part of the older ASP.NET Core ecosystem.

Tucked alongside it is a malicious DLL designed to load the moment that executable runs. Because the binary loads the DLL by name without checking its authenticity or a full file path, the attacker simply places a crafted DLL with a matching filename in the same folder.

When the user runs the executable, Windows picks up the malicious DLL without question, treating it as part of a trusted application.

Acronis Threat Research Unit (TRU) analysts identified this new LOTUSLITE variant during active monitoring of malware campaigns tied to geopolitical developments in the West Asian region.

Researchers noted that the implant carried clear thematic ties to India’s banking institutions, with activity observed around March this year.

The TRU team flagged the use of a Microsoft-signed executable as a deliberate tactic to bypass standard endpoint checks, since most security products extend implicit trust to Microsoft-signed files and rarely raise alerts based on their execution alone.

Once installed, the LOTUSLITE backdoor connects to a dynamic DNS-based command-and-control (C2) server over HTTPS, making its traffic look like routine encrypted web communication.

The implant supports remote shell access, file operations, and session management, giving the attacker a persistent foothold on the compromised machine.

The backdoor’s design strongly points to espionage-driven objectives, since it is built to gather information and maintain long-term access rather than cause visible disruption.

Attribution to the Mustang Panda activity cluster, a China-linked advanced persistent threat (APT) group, is assessed with moderate confidence based on shared infrastructure patterns and operational behaviors documented by the TRU team.

The broader campaign connects to parallel activity targeting Korea-related geopolitical circles.

Researchers found the same LOTUSLITE infrastructure used in campaigns referencing Korean policy and diplomatic communities, suggesting the threat actor operates across multiple fronts using the same core toolset while swapping lure material to match each target audience.

This pattern aligns with Mustang Panda’s habit of reusing established delivery methods while adapting only the surface-level content.

DLL Sideloading: The Core Infection Mechanism

The infection mechanism at the heart of this campaign relies entirely on the operating system’s trust in signed software.

When Microsoft_DNX.exe runs, it dynamically loads the LOTUSLITE DLL at runtime, resolving the export function DnxMain, which transfers execution directly into the attacker-controlled code.

Attack chain (Source – Acronis)

The executable was chosen specifically because Windows recognizes it as signed, meaning security products are unlikely to flag it.

Since it loads the DLL by filename alone without a full path check, the attacker only needs to place the malicious file in the same directory to guarantee it gets loaded.

DLL sideloading into a signed executable (Source – Acronis)

This execution chain shows how the signed binary serves as the launchpad for the malicious payload. This LOTUSLITE variant also shows clear signs of evolution.

The implant uses a different C2 magic value within its network packets compared to prior campaigns, helping it avoid detection rules written against the older signature.

Security teams are advised to monitor for unusual DLL loading patterns from legitimate Microsoft executables and apply application control policies restricting DLL loading to verified file paths.

Any signed executable loading unverified DLLs from user-writable directories should be treated as suspicious, and endpoint detection tools focused on behavioral signals rather than file reputation alone remain the most effective defense against this style of attack.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Microsoft-Signed Binary Used to Sneak LOTUSLITE Into India-Focused Espionage Campaign appeared first on Cyber Security News.