LOTUSLITE Backdoor Deployed in Venezuela-Themed Spear Phishing Against U.S. Policy Targets

Security researchers have disclosed a targeted cyber-espionage campaign that used politically themed spear-phishing emails to target U.S. government and policy-related organizations with a previously undocumented backdoor known as LOTUSLITE. The activity leveraged lures tied to recent geopolitical developments involving the United States and Venezuela.

The phishing emails delivered a ZIP archive titled “US now deciding what’s next for Venezuela.zip,” which contained a malicious DLL executed via DLL side-loading. At this time, it is unclear whether any of the intended targets were successfully compromised.

The campaign has been attributed with moderate confidence to Mustang Panda, a China-linked threat actor also known as Earth Pret, HoneyMyte, and Twill Typhoon. The attribution is based on overlaps in infrastructure and tradecraft, including the group’s long-standing reliance on DLL side-loading to deploy its malware.

LOTUSLITE is a custom C++ backdoor that communicates with a hard-coded command-and-control server using Windows WinHTTP APIs. It supports remote command execution via cmd.exe, file enumeration and manipulation, beacon management, and data exfiltration. The malware also establishes persistence through Windows Registry modifications to ensure execution at user logon.

Researchers from Acronis noted that LOTUSLITE shares behavioral similarities with Claimloader, a DLL-based loader previously linked to Mustang Panda and used to deploy the PUBLOAD backdoor. Claimloader was first documented by IBM X-Force in 2025 during espionage campaigns targeting the Tibetan community.

The disclosure follows reports by The New York Times describing a purported U.S. cyber operation that briefly disrupted electricity in Caracas ahead of a January 3, 2026, military mission that resulted in the capture of Venezuelan President Nicolás Maduro. While unrelated, the timing highlights how geopolitical events are rapidly reflected in cyber-espionage operations and phishing narratives.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news