Symantec and Zscaler detailed Mistic, a stealthy new Windows backdoor used in intrusions since April and tied to KongTuke, an initial access broker that sells footholds to ransomware crews including Qilin, Akira, and Rhysida. Mistic is side-loaded through a legitimate Microsoft executable and a malicious DLL named to mimic endpoint-security software, runs payloads only in memory with nothing written to disk, and includes a self-delete kill switch, all aimed at long-term, low-visibility access. It is delivered through social-engineering lures such as fake CAPTCHAs and Microsoft Teams help-desk pretexts that trick users into running PowerShell commands. Defenders should watch for the unusual DLL side-loading pattern.
Acronis researchers have spotted a new variant of LOTUSLITE, a backdoor associated with the Chinese nation-state group Mustang Panda, now distributed via lures tied to India's banking sector and, in a parallel campaign, impersonating figures from South Korea's Korean-peninsula-policy community. The shift is notable: prior LOTUSLITE activity targeted U.S. government and policy entities with U.S.-Venezuela geopolitical decoys, but this wave pivots the targeting while keeping the delivery playbook intact. The infection chain starts with a Compiled HTML (CHM) file - a legacy Microsoft help-file format that can embed executables and scripts - containing a legitimate signed binary, a rogue DLL, and an HTML pop-up that asks the user to click 'Yes.' Clicking it silently fetches JavaScript malware from cosmosmusic[.]com, which extracts and runs the DLL side-loading chain (trusted EXE loads attacker-supplied DLL) using dnx.onecore.dll as the malicious payload. The backdoor talks HTTPS to editor.gleeze[.]com over dynamic DNS, with remote shell access, file operations, and session management - a classic espionage toolkit. The Indian campaign uses HDFC Bank-themed pop-ups masquerading as legitimate banking software; the South Korean campaign uses spoofed Gmail accounts and Google Drive staging to impersonate a prominent Korean peninsula policy figure. This is active, tailored, human-operated espionage, not a commodity campaign.