Same packet, different magic: Hits India's banking sector and Korea geopolitics
Essential information
- Published
- 22/04/2026 03:40
- Modified
- 22/04/2026 09:00
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- backdoor chm files dll sideloading espionage india banking javascript loader lotuslite south korea diplomacy
- Tags
- 2026-04-22 backdoor chm files dll sideloading espionage india banking javascript loader lotuslite south korea diplomacy
- Related entities
- 10 indicators, 10 observables, 1 intrusion sets (apt), 20 techniques (mitre), 1 malware, 7 others
Description
A new variant of the LOTUSLITE backdoor, version 1.1, has been identified targeting India's banking sector and South Korean diplomatic circles. The backdoor is delivered via DLL sideloading using legitimate Microsoft-signed executables and initially through CHM files containing malicious JavaScript. It communicates with dynamic DNS-based command-and-control servers over HTTPS, supporting remote shell access, file operations and session management. Code-level analysis reveals direct lineage to LOTUSLITE v1.0, including identical command structures, shared persistence mechanisms, and residual exports from the original codebase. The campaign demonstrates incremental improvements including updated magic values, API resolution techniques, and delivery mechanisms evolving from CHM-based to JavaScript loaders to DLL sideloading. Infrastructure hosted under Dynu Systems shows continuity with previous operations.