Middle East Conflict Fuels Cyber Attacks

ThreatLabz analyzed a Mustang Panda campaign that delivered the LOTUSLITE backdoor using a malicious DLL (libmemobook.dll) sideloaded by a renamed KuGou executable themed around Iran conflict. The downloader enforces installation to C:\ProgramData (creating Run keys for persistence), decrypts and executes embedded shellcode that fetches WebFeatures.exe and kugou.dll from a compromised domain (e-kflower.com), and the next-stage DLLs exhibit code overlap with previously documented LOTUSLITE implants (C2: 172.81.60.97).