Signed, Sealed, Infiltrated: How Hackers Hijacked Microsoft Tools to Breach India’s Banks
Subtitle: A China-linked espionage group is using trusted Microsoft-signed software to deliver a stealthy backdoor targeting India’s financial sector.
Picture this: a routine IT support ticket arrives in an Indian bank’s inbox. It looks legitimate, urgent even. But when an employee opens the attached file, they unwittingly invite a sophisticated backdoor-disguised as a trusted Microsoft program-directly onto the company’s network. This isn’t just a hypothetical. It’s the playbook of a newly uncovered cyber espionage campaign, and it’s rewriting the rules of digital trust and deception in India’s banking sector.
Fast Facts
- Attackers are abusing a Microsoft-signed binary to deploy the LOTUSLITE v1.1 backdoor in Indian banks.
- The operation is linked with moderate confidence to the China-based Mustang Panda espionage group.
- The attack chain begins with spear-phishing emails disguised as IT support tickets using CHM files.
- DLL sideloading lets the malware execute under the cover of a trusted Microsoft signature.
- LOTUSLITE’s codebase now specifically references Indian financial institutions and evades static detection.
Inside the Attack: From Inbox to Intrusion
The campaign, first uncovered by the Acronis Threat Research Unit, marks a strategic pivot for the threat actor known as Mustang Panda. Previously focused on U.S. government targets, the group now sets its sights on India’s financial sector, deploying an upgraded version of their LOTUSLITE malware.
The attack starts with a spear-phishing email crafted to imitate a bank’s IT helpdesk-complete with a seemingly innocent Compiled HTML (CHM) file. Once opened, this file triggers a malicious pop-up but, more importantly, executes hidden code that downloads a JavaScript loader from a compromised website.
Here’s where the real subterfuge begins: the JavaScript orchestrates the extraction of a genuine Microsoft-signed executable, Microsoft_DNX.exe, alongside the attacker’s own malicious DLL. By exploiting a technique called DLL sideloading, the malware runs within the trusted Microsoft process, bypassing most security alarms.
The LOTUSLITE v1.1 backdoor is engineered for stealth and persistence. Its communications are tunneled over encrypted HTTPS to a dynamic DNS server, making network detection a challenge. The malware’s internal code now explicitly references Indian banking institutions, with functions named after real banks like HDFC Bank, signaling careful tailoring for its targets.
Yet, for all their technical prowess, the attackers left subtle fingerprints. Legacy code referencing earlier campaigns-such as the “KugouMain” export from a previous sideloading scheme-remained embedded. They even taunted researchers with pop-up messages referencing those tracking their work, a rare glimpse into the personalities behind the code.
The campaign doesn’t stop at India. Similar LOTUSLITE variants have surfaced in attacks against Korean and U.S. policy circles, often using diplomatic-themed lures but recycling much of the same technical infrastructure and malware code.
Conclusion: Trust, Subverted
The LOTUSLITE campaign is a stark reminder that even the most trusted software can become a weapon in the hands of determined attackers. By piggybacking on Microsoft’s digital signature, Mustang Panda’s operators have found an effective way to slip past defenses-proving that in cybersecurity, trust is always conditional. For India’s banks and beyond, vigilance must extend beyond the unfamiliar to the very tools and processes once considered safe.
WIKICROOK
- DLL Sideloading: DLL sideloading is when attackers trick trusted programs into loading malicious helper files (DLLs) instead of the legitimate ones, enabling hidden attacks.
- Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
- Dynamic DNS: Dynamic DNS updates domain records with changing IPs, helping attackers hide servers by frequently altering their network locations.
- Spear: Spear phishing is a targeted cyberattack using personalized emails to trick specific individuals or organizations into revealing sensitive information.
- CHM File: A CHM file is a Windows help file format that can be exploited by attackers to deliver malware through embedded scripts or objects.




