The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a marketing campaign that compromised a number of organizations in an unnamed Southeast Asian nation between August 2024 and February 2025.
“Targets included a authorities ministry, an air visitors management group, a telecoms operator, and a development firm,” the Symantec Risk Hunter Workforce said in a brand new report shared with The Hacker Information. “The assaults concerned using a number of new customized instruments, together with loaders, credential stealers, and a reverse SSH instrument.”
The intrusion set can also be stated to have focused a information company positioned abroad in Southeast Asia and an air freight group positioned in one other neighboring nation.
The menace cluster, per Broadcom’s cybersecurity division, is assessed to be a continuation of a marketing campaign that was disclosed by the corporate in December 2024 as a high-profile group in Southeast Asia since a minimum of October 2023.
Then final month, Cisco Talos connected the Lotus Panda actor to intrusions geared toward authorities, manufacturing, telecommunications, and media sectors within the Philippines, Vietnam, Hong Kong, and Taiwan with a backdoor referred to as Sagerunex.
Lotus Panda (aka Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip) has a historical past of orchestrating cyber assaults towards governments and navy organizations in Southeast Asia.
Believed to be lively since a minimum of 2009, the group got here beneath the highlight for the primary time in June 2015 when Palo Alto Networks attributed the menace actor to a persistent spear-phishing marketing campaign that exploded a Microsoft Workplace flaw (CVE-2012-0158) to distribute a backdoor dubbed Elise (aka Trensil) that is designed to execute instructions and skim/write information.
Subsequent assaults mounted by the group have weaponized a Microsoft Home windows OLE flaw (CVE-2014-6332) through a booby-trapped attachment despatched in a spear-phishing email to a person then working for the French Ministry of Overseas Affairs in Taiwan to deploy one other trojan associated to Elise codenamed Emissary.
Within the newest wave of assaults noticed by Symantec, the attackers have leveraged legit executables from Pattern Micro (“tmdbglog.exe”) and Bitdefender (“bds.exe”) to sideload malicious DLL information, which act as loaders to decrypt and launch a next-stage payload embedded inside a domestically saved file.
The Bitdefender binary has additionally been used to sideload one other DLL, though the precise nature of the file is unclear. One other unknown facet of the marketing campaign is the preliminary entry vector used to succeed in the entities in query.
The assaults paved the best way for an up to date model of Sagerunex, a instrument solely utilized by Lotus Panda. It comes with capabilities to reap goal host data, encrypt it, and exfiltrate the main points to an exterior server beneath the attacker’s management.
Additionally deployed within the assaults are a reverse SSH instrument, and two credential stealers ChromeKatz and CredentialKatz which can be outfitted to siphon passwords and cookies saved within the Google Chrome internet browser.
“The attackers deployed the publicly accessible Zrok peer-to-peer instrument, utilizing the sharing operate of the instrument to be able to present distant entry to companies that had been uncovered internally,” Symantec stated. “One other legit instrument used was known as ‘datechanger.exe.’ It’s able to altering timestamps for information, presumably to muddy the waters for incident analysts.
Source link