Authors: Ilia Dafchev, Subhajeet Singha Summary Acronis Threat Research Unit (TRU) observed a targeted malware campaign against U.S. government entities leveraging a politically themed ZIP archive containing a loader executable and a malicious dynamic-link library (DLL). The executable is used to sideload and execute the DLL, which functions as the primary backdoor, tracked as LOTUSLITE . The backdoor, referred to as LOTUSLITE , is a custom C++ implant that communicates with a hard-coded IP-based command-and-control server and supports basic remote tasking and data exfiltration with a decent persistence technique indicating an espionage-focused capability set rather than financially motivated objectives. The loader demonstrates low development maturity , with minimal error handling and limited defensive evasion, suggesting rapid operational deployment rather than a long-term, well-maintained malware framework. Infrastructure analysis and execution patterns show moderate-confidence overlap with Mustang Panda tradecraft , including delivery style, loader–DLL separation and infrastructure usage. Attribution is assessed at a behavioral level and does not rely on code reuse alone. This campaign reflects a continued trend of targeted spear phishing using geopolitical lures , favoring reliable execution techniques such as DLL sideloading over exploit-based initial access. The observed targeting is limited to U.S. government and policy-related entities , indicating a focused victim set. While the overall scale appears limited, the nature of the targets increases the potential strategic impact. Introduction Acronis Threat Research Unit (TRU) has been actively monitoring malware campaigns and threat activity leveraging recent geopolitical developments between the United States and Venezuela as thematic lures. During this tracking, TRU identified a targeted campaign delivering a previously undocumented DLL-based backdoor, tracked as LOTUSLITE , aimed at U.S. government–related entities. The activity stood out due to its use of politically themed lure material packaged within a ZIP archive and a simple execution chain involving a loader executable and a malicious DLL. These observations prompted further analysis to understand the purpose of the tooling, the relationship between its components and the infrastructure used to operate the backdoor. This report focuses on documenting the delivery mechanism, execution flow and command-and-control behavior associated with LOTUSLITE, as well as examining how this activity aligns with broader espionage-oriented threat trends. While the malware itself demonstrates limited technical sophistication, its selective targeting and contextual lure usage indicate deliberate victim selection. Through this research, TRU outlines the analytical basis for attributing this activity to Mustang Panda with moderate confidence , primarily based on observed infrastructural overlaps , deployment patterns, and operational characteristics consistent with previously documented campaigns. The report details the indicators and behaviors that informed this assessment, providing defenders with context for understanding how such overlaps can support attribution without relying on code-level similarities alone. Background and context Mustang Panda is a long-running espionage-oriented state-aligned threat entity, known for aligning its operations with current geopolitical developments . The group has consistently leveraged themes tied to international conferences , bilateral engagements and region-specific political events to support targeted intrusion activity against government and policy-related entities. Operationally, Mustang Panda favors medium -complexity, repeatable execution techniques , most notably the extensive use of DLL sideloading to deploy custom implants via benign or trusted executables. The group has also demonstrated repeated reuse of infrastructure and tooling , enabling analysts to cluster activity and assess attribution, even in the absence of direct malware code reuse. The campaign examined in this report reflects these established behaviors and introduces a newly observed backdoor , providing relevant context for the analytical conclusions presented in subsequent sections. Technical details Initial analysis and delivery mechanism Button Button Our investigation began after identifying a spear phishing archive named US now deciding what’s next for Venezuela.zip that was uploaded for automated malware analysis from an IP address geolocated in the United States. The archive included a legitimate executable and a hidden, nonstandard DLL, a combination frequently associated with Mustang Panda tradecraft. Execution of the binary resulted in the DLL being loaded through sideloading, enabling covert execution of the malicious code. The activity in terms of the naming convention stood out due to the politically themed archive name and the minimalistic execution chain, which aligns with the p...