Chinese APT Mustang Panda's new LOTUSLITE variant hits Indian banks and South Korean policy circles via CHM lures

Acronis researchers have spotted a new variant of LOTUSLITE, a backdoor associated with the Chinese nation-state group Mustang Panda, now distributed via lures tied to India's banking sector and, in a parallel campaign, impersonating figures from South Korea's Korean-peninsula-policy community. The shift is notable: prior LOTUSLITE activity targeted U.S. government and policy entities with U.S.-Venezuela geopolitical decoys, but this wave pivots the targeting while keeping the delivery playbook intact. The infection chain starts with a Compiled HTML (CHM) file - a legacy Microsoft help-file format that can embed executables and scripts - containing a legitimate signed binary, a rogue DLL, and an HTML pop-up that asks the user to click 'Yes.' Clicking it silently fetches JavaScript malware from cosmosmusic[.]com, which extracts and runs the DLL side-loading chain (trusted EXE loads attacker-supplied DLL) using dnx.onecore.dll as the malicious payload. The backdoor talks HTTPS to editor.gleeze[.]com over dynamic DNS, with remote shell access, file operations, and session management - a classic espionage toolkit. The Indian campaign uses HDFC Bank-themed pop-ups masquerading as legitimate banking software; the South Korean campaign uses spoofed Gmail accounts and Google Drive staging to impersonate a prominent Korean peninsula policy figure. This is active, tailored, human-operated espionage, not a commodity campaign.

Check

Block CHM file delivery through email and web download gateways, hunt for any instance of dnx.onecore.dll on the disk, and alert on DNS resolutions to cosmosmusic[.]com or editor.gleeze[.]com across your network.

Affected

Indian banking, financial services, and corporate employees handling HDFC Bank relationships (target set includes anyone social-engineered with banking-software lures). South Korean policy, diplomatic, think-tank, and government staff working on Korean-peninsula affairs, North Korea policy, or Indo-Pacific security dialogues. Any organisation where users can still open CHM files by default - Windows does not block them.

Fix

Add a mail-transport-agent rule blocking .chm attachments outright. Block CHM execution on endpoints via AppLocker or WDAC application-control policies. Enforce DNS filtering with sinkholes for cosmosmusic[.]com and editor.gleeze[.]com and monitor for similar dynamic-DNS patterns resolving from workstations that never used them before. Run EDR hunts for hh.exe (the CHM viewer) spawning script interpreters or unusual DLL loads, and specifically for dnx.onecore.dll. Provide targeted phishing-awareness training to India-based banking staff and any employees on Korean-peninsula policy briefs, including the specific lure patterns (HDFC Bank pop-ups, spoofed Gmail from named policy figures).