Headline
Mastang Panda Uses Venezuela News to Spread LOTUSLITE Malware
Researchers have found a new spying campaign using news about Venezuela to trick US government officials. Learn how the LOTUSLITE virus sneaks into computers to steal secrets.
Cybersecurity researchers at Acronis Threat Research Unit (TRU) have found that hackers are using news headlines to spy on US government groups. Instead of using complex exploits, these attackers are relying on a much simpler trick- curiosity about current events.
Report authors Ilia Dafchev and Subhajeet Singha explained that the campaign uses the ongoing political tension between the US and Venezuela as bait. The trap starts with a file called “US now deciding what’s next for Venezuela.zip,” which is a classic move involving using big news stories to trick a government official into clicking before they think.
****The Backdoor Strategy****
The technical side of the attack is based on a sneaky move called DLL sideloading, in which the hackers hide a virus inside a program that looks safe. In this particular campaign, they used a renamed music player from a company called Tencent, naming it “Maduro to be taken to New York.exe.”
The spear phishing archive named US now deciding what’s next for Venezuela.zip and the malicious files are clearly visible (Source: Acronis)
When someone runs that music player, the computer is tricked into opening a hidden, malicious file called kugou.dll. This file is a backdoor that researchers have named LOTUSLITE. Once it is active, the hackers obtain a secret way in, allowing them to steal files, watch the screen, or run commands as if they were sitting at the desk.
The malware even tries to stay invisible by pretending to be Googlebot, the tool Google uses to browse the web. It sends stolen information to a computer at the IP address 172.81.60.97 in Phoenix, Arizona.
****Clues Leading to Mustang Panda****
In ther report, researchers noted that the hackers left some odd clues behind; the code contained hidden messages where the author claimed to be Chinese and specifically said they were not Russian. “The loader demonstrates low development maturity,” the team noted, which suggests the hackers were in a rush to get the attack out while the news was still fresh.
Based on these patterns, the Acronis team believes with “moderate confidence” that the China-backed hacking group Mustang Panda (aka HoneyMyte) is responsible, which is well-known for using breaking news to launch quick spying missions.
The goal here is clearly espionage, involving gathering political and strategic intelligence rather than stealing money. By choosing reliable, simple methods over complex ones, the attackers prioritise getting the job done over being technically fancy.
This approach is common for state-aligned groups who want a steady stream of information, and this shows that even a simple email about the news can be a powerful tool for a spy to peek into government secrets.