LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing

[Parkinsond]

Content source

https://thehackernews.com/2026/01/lotuslite-backdoor-targets-us-policy.html

The targeted malware campaign leverages decoys related to the recent geopolitical developments between the U.S. and Venezuela to distribute a ZIP archive ("US now deciding what's next for Venezuela.zip") containing a malicious DLL that's launched using DLL side-loading techniques.

"This campaign demonstrates how simple and well-tested techniques can still be effective when paired with targeted delivery and relevant geopolitical lures," the Singaporean cybersecurity company concluded. "Although the LOTUSLITE backdoor lacks advanced evasion features, its use of DLL sideloading, reliable execution flow, and basic command-and-control functionality reflects a focus on operational dependability rather than sophistication."

LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing

China-linked attackers used Venezuela-themed phishing and DLL side-loading to deploy the LOTUSLITE backdoor against U.S. government and policy targets

thehackernews.com

 

[Parkinsond]

Maduroware

 

[Divergent]

Malware
Lotus lite Backdoor

Type
Bespoke C++ implant.

Communications
Uses Windows <span>WinHTTP</span> APIs to communicate with a hard-coded Command and Control (C2) server.

Persistence
Achieved via Windows Registry modifications to ensure execution upon user login.

Evasion
Lacks advanced evasion features, relying instead on the "operational dependability" of DLL side-loading. It mimics the behavior of "Claimloader" (used to deploy PUBLOAD) by embedding provocative messages.

C2 Capabilities & Command Structure
The backdoor supports a specific set of hex commands for remote control and exfiltration:

• 0x0A: Initiate remote CMD shell
• 0x0B: Terminate remote shell
• 0x01: Send commands via remote shell
• 0x06: Reset beacon state
• 0x03: Enumerate files in a folder
• 0x0D: Create an empty file
• 0x0E: Append data to a file
• 0x0F: Get beacon status

Recommendations​

Hunt for Indicators

• Search endpoints for the presence of kugou.dll in non-standard directories (e.g., user Downloads or Temp).
• Scan for the specific file name: US now deciding what's next for Venezuela.zip.
• Review Registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) for unauthorized entries pointing to suspicious DLL loaders.

Network Blocking

• While specific IPs were not in the provided text, monitor for anomalous WinHTTP traffic or beaconing behavior consistent with the commands listed above (e.g., repetitive small packets for status 0x0F or larger flows for data appending 0x0E).

Attack Surface Reduction

• Restrict the execution of binaries and DLLs from %TEMP% and %APPDATA% locations using AppLocker or WDAC.
• Monitor for "Image Load" events (Sysmon Event ID 7) where signed binaries load unsigned DLLs from the same directory.

References​

Primary Source
Acronis Threat Research (Researchers Ilia Dafchev and Subhajeet Singha).

Related Threat Intel
IBM X-Force (June 2025) regarding "Claimloader" and "PUBLOAD".

Context
The Hacker News

 

[cartaphilus]

Malware
Lotus lite Backdoor

Type
Bespoke C++ implant.

Communications
Uses Windows <span>WinHTTP</span> APIs to communicate with a hard-coded Command and Control (C2) server.

Persistence
Achieved via Windows Registry modifications to ensure execution upon user login.

Evasion
Lacks advanced evasion features, relying instead on the "operational dependability" of DLL side-loading. It mimics the behavior of "Claimloader" (used to deploy PUBLOAD) by embedding provocative messages.

C2 Capabilities & Command Structure
The backdoor supports a specific set of hex commands for remote control and exfiltration:

• 0x0A: Initiate remote CMD shell
• 0x0B: Terminate remote shell
• 0x01: Send commands via remote shell
• 0x06: Reset beacon state
• 0x03: Enumerate files in a folder
• 0x0D: Create an empty file
• 0x0E: Append data to a file
• 0x0F: Get beacon status

Recommendations​

Hunt for Indicators

• Search endpoints for the presence of kugou.dll in non-standard directories (e.g., user Downloads or Temp).
• Scan for the specific file name: US now deciding what's next for Venezuela.zip.
• Review Registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) for unauthorized entries pointing to suspicious DLL loaders.

Network Blocking

• While specific IPs were not in the provided text, monitor for anomalous WinHTTP traffic or beaconing behavior consistent with the commands listed above (e.g., repetitive small packets for status 0x0F or larger flows for data appending 0x0E).

Attack Surface Reduction

• Restrict the execution of binaries and DLLs from %TEMP% and %APPDATA% locations using AppLocker or WDAC.
• Monitor for "Image Load" events (Sysmon Event ID 7) where signed binaries load unsigned DLLs from the same directory.

References​

Primary Source
Acronis Threat Research (Researchers Ilia Dafchev and Subhajeet Singha).

Related Threat Intel
IBM X-Force (June 2025) regarding "Claimloader" and "PUBLOAD".

Context
The Hacker News

It doesn't require advance evasion technique the malware is aimed at MAGA

 

[Divergent]

It doesn't require advance evasion technique the malware is aimed at MAGA

While the threat actors certainly chose their lures based on political demographics, the technical reality of the compromise remains the same.

Regardless of the target's affiliation, an infected machine is a foothold that can be used for lateral movement or botnet activity. This guide focuses purely on remediation and IOCs because once the DLL side-loading executes, the politics don't matter, only the persistence mechanism and the exfiltration do.

My goal here is to ensure anyone dealing with the aftermath has the clean-up steps, irrespective of how "simple" the entry vector was.

 

[cartaphilus]

While the threat actors certainly chose their lures based on political demographics, the technical reality of the compromise remains the same.

Regardless of the target's affiliation, an infected machine is a foothold that can be used for lateral movement or botnet activity. This guide focuses purely on remediation and IOCs because once the DLL side-loading executes, the politics don't matter, only the persistence mechanism and the exfiltration do.

My goal here is to ensure anyone dealing with the aftermath has the clean-up steps, irrespective of how "simple" the entry vector was.

Sometimes the simplest methods (entries) are the best ones especially into organizations that think they know better. Security is so focused on clever methods and procedures that they don't see an obvious miscreant walking right through the front door.

 

[Divergent]

Sometimes the simplest methods (entries) are the best ones especially into organizations that think they know better. Security is so focused on clever methods and procedures that they don't see an obvious miscreant walking right through the front door.

You're absolutely right that simple entry vectors (like social engineering) often bypass the most expensive "advanced" perimeters.

However, that is exactly why this remediation guide is necessary.

When the "front door" is left open, whether through lack of awareness or clever phishing, prevention has already failed. At that point, the complexity of the entry doesn't matter anymore, we are in a post-compromise scenario.

This guide assumes the "miscreant" is already inside. The focus here is not on how they got in (which, as you noted, was simple), but on detecting the persistence they left behind and evicting them before they pivot further.

 

[Andy Ful]

Maduroware

As most such attacks also this one can be blocked by SAC (the initial DLL is unsigned).

 

[Parkinsond]

As most such attacks also this one can be blocked by SAC (the initial DLL is unsigned).

I'm using WDAC instead; not going to use SAC until it has the option to exclude, not just to be turned off and on again.