Security experts have revealed information about a new campaign that uses politically themed lures to deliver a backdoor known as LOTUSLITE to U.S. government and policy entities. The targeted malware campaign distributes a ZIP archive ("US now deciding what's next for Venezuela.zip") that contains a malicious DLL that is launched using DLL side-loading techniques by using decoys related to recent geopolitical developments between the United States and Venezuela. Whether the campaign was successful in compromising any of the targets is unknown.

Citing tactical and infrastructure patterns, the activity has been moderately confidently linked to a Chinese state-sponsored group called Mustang Panda (also known as Earth Pret, HoneyMyte, and Twill Typhoon).

It's important to note that the threat actor is well-known for heavily depending on DLL side-loading to open backdoors, such as TONESHELL. According to an analysis by Acronis researchers Ilia Dafchev and Subhajeet Singha, "this campaign reflects a continued trend of targeted spear phishing using geopolitical lures, favoring reliable execution techniques such as DLL side-loading over exploit-based initial access." The backdoor ("kugou.dll") used in the LOTUSLITE attack is a custom C++ implant that uses Windows WinHTTP APIs to connect to a hard-coded command-and-control (C2) server in order to facilitate data exfiltration, remote tasking using "cmd.exe," and beaconing activity.

The full list of supported commands is as follows: 0x0A to start a remote CMD shell; 0x0B to stop the remote shell; 0x01 to send commands via the remote shell; 0x06 to send commands via the remote shell; 0x03 to reset the beacon state; 0x0D to enumerate files in a folder; 0x0E to create an empty file; 0x0F to append data to a file; and 0x0F to obtain the beacon status. Additionally, LOTUSLITE can establish persistence by making changes to the Windows Registry so that it is automatically run each time the user logs in. The backdoor "mimics the behavioral shenanigans of Claimloader by embedding provocative messages," according to Acronis."

A DLL called Claimloader is used to launch PUBLOAD, another Mustang Panda tool, and is loaded via DLL side-loading.

IBM X-Force initially reported the malware in June 2025 as part of a cyberespionage operation targeting the Tibetan community. The Singaporean cybersecurity firm came to the conclusion that "this campaign demonstrates how simple and well-tested techniques can still be effective when paired with targeted delivery and relevant geopolitical lures." "Although the LOTUSLITE backdoor lacks sophisticated evasion features, its use of DLL sideloading, dependable execution flow, and basic command-and-control functionality reflects a focus on operational dependability rather than sophistication."

The revelation coincides with the New York Times' publication of information regarding an alleged cyberattack carried out by the America.

to briefly cut off most Caracas residents' access to electricity prior to the military operation on January 3, 2026, which resulted in the capture of Venezuelan President Nicolás Maduro. According to the Times, "turning off the power in Caracas and interfering with radar allowed US military helicopters to move into the country undetected on their mission to capture Nicolás Maduro, the Venezuelan president who has now been brought to the United States to face drug charges," the mission. "While some neighborhoods close to the military base where Mr. Maduro was taken were left without power for up to 36 hours, the majority of Caracas residents only lost power for a few minutes as a result of the attack.