35/69 Tuesday, January 20, 2026
Researchers from the Acronis Threat Research Unit (TRU) have disclosed the discovery of a new cyber-espionage operation that exploits political developments in Venezuela as a lure to trick U.S. government personnel into opening malicious files. The campaign does not rely on advanced exploitation techniques or complex vulnerabilities; instead, it primarily uses social engineering, capitalizing on interest in current events to prompt targets to open files with reduced caution.
The attack leverages a DLL sideloading technique, in which malware is embedded within an application that appears legitimate. In this case, attackers modified a music player from Tencent and renamed it “Maduro to be taken to New York.exe.” When the file is executed, the application automatically loads a malicious DLL named “kugou.dll.” The malware, dubbed LOTUSLITE by researchers, functions as a backdoor, enabling remote control of the compromised system. Capabilities include data exfiltration, screen capture, and command execution. The malware also attempts to masquerade as Googlebot while exfiltrating stolen data to a command-and-control (C2) server at IP address 172.81.60.97, located in Phoenix, Arizona.
Researchers identified indicators linking the operation to the Mustang Panda (also known as HoneyMyte) hacking group. Embedded strings within the malware suggest the developer is Chinese, and the overall code quality indicates rushed development-consistent with attacks designed to quickly exploit breaking news. Acronis assesses with moderate confidence that Mustang Panda is behind the campaign, with objectives focused on political and strategic intelligence gathering rather than financial gain. The incident highlights that even relatively simple techniques, when combined with timely news themes and routine email delivery, can remain highly effective for breaching government systems and accessing sensitive information.
Source https://hackread.com/mastang-panda-venezuela-news-lotuslite-malware/
