{
  "name": "Targeted espionage leveraging geopolitical themes",
  "slug": "targeted-espionage-leveraging-geopolitical-themes",
  "description": "A targeted malware campaign against U.S. government entities has been observed, utilizing a politically themed ZIP archive containing a loader executable and a malicious DLL. The DLL functions as a backdoor named LOTUSLITE, communicating with a hard-coded command-and-control server. The campaign demonstrates minimal technical sophistication but shows deliberate victim selection and use of geopolitical lures. Attribution analysis suggests moderate-confidence overlap with Mustang Panda tradecraft, including delivery style, loader-DLL separation, and infrastructure usage. The backdoor supports basic remote tasking and data exfiltration, indicating an espionage-focused capability. This activity reflects a trend of targeted spear phishing using geopolitical themes and reliable execution techniques like DLL sideloading.",
  "published": "2026-01-15T11:03:35+00:00",
  "created_at": "2026-01-15T11:03:35+00:00",
  "modified_at": "2026-01-19T08:30:35+00:00",
  "created_at_opencti": "2026-01-15T11:03:35+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-01-15",
    "backdoor",
    "dll sideloading",
    "espionage",
    "geopolitical lures",
    "lotuslite",
    "u.s. government",
    "venezuela"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "172.81.60.87"
      },
      {
        "id": "",
        "name": "172.81.60.97"
      },
      {
        "id": "",
        "name": "2c34b47ee7d271326cfff9701377277b05ec4654753b31c89be622e80d225250"
      },
      {
        "id": "",
        "name": "819f586ca65395bdd191a21e9b4f3281159f9826e4de0e908277518dba809e5b"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:6d14f034bb4a2b69",
        "name": "LOTUSLITE",
        "slug": "lotuslite"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d84a7548-8d06-45c7-80bf-46911d6e40c0",
        "name": "Mustang Panda",
        "slug": "mustang-panda"
      }
    ],
    "attack_patterns": [
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Venezuela, Bolivarian Republic of"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Government and administrations"
      },
      {
        "id": "",
        "name": "unassigned.172-81-60-97.spryt.net"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6968d7976784ef21a6276d75",
    "https://www.acronis.com/en/tru/posts/lotuslite-targeted-espionage-leveraging-geopolitical-themes"
  ]
}