Cisco Talos has uncovered a series of cyber espionage campaigns attributed to the advanced persistent threat (APT) group Lotus Blossom, also known as Spring Dragon, Billbug, and Thrip.
The group has been active since at least 2012, targeting government, manufacturing, telecommunications, and media sectors in regions such as the Philippines, Vietnam, Hong Kong, and Taiwan.
Talos identified Sagerunex, a backdoor tool used exclusively by Lotus Blossom, as the core malware in these campaigns.
The investigation revealed multiple variants of Sagerunex, evolving from its original form to leverage third-party cloud services such as Dropbox, Twitter, and Zimbra webmail as command-and-control (C2) tunnels, instead of traditional Virtual Private Servers (VPS). This shift helps the group evade detection while maintaining control over infected endpoints.
The group has been observed gaining persistence on compromised systems by embedding Sagerunex into the system registry and configuring it to run as a service. The malware operates as a dynamic link library (DLL), executed directly in memory to avoid detection. The campaigns also showcase long-term persistence strategies, allowing attackers to remain undetected for months.
Beyond Sagerunex, Lotus Blossom employs an arsenal of hacking tools to facilitate credential theft, privilege escalation, and data exfiltration. These include a Chrome cookie stealer from GitHub, a customized Venom proxy tool, a privilege adjustment tool, and an archiving tool for encrypting and stealing data.
Additionally, the group utilizes mtrain V1.01, a modified HTran proxy relay tool, to route connections between compromised machines and external networks.
The attack chain follows a structured multi-stage approach, starting with reconnaissance commands such as “net,” “tasklist,” “ipconfig,” and “netstat” to gather system details.
If an infected machine lacks direct internet access, the attackers leverage proxy settings or the Venom tool to establish connectivity. A notable tactic involves storing malicious tools in the “public\pictures” subfolder, a non-restricted directory, to avoid detection.
Talos’ research underscores the growing sophistication of Lotus Blossom, which continues to refine its techniques and expand its capabilities. With high confidence, Cisco attributes these campaigns to Lotus Blossom, highlighting its sustained cyber espionage operations against high-value targets.
