An espionage-focused threat actor dubbed “Lotus Blossom” is targeting areas around the South China Sea with a proprietary backdoor malware known as “Sagerunex.”. The threat actor, which targets governments, manufacturing, media, and telecommunications organizations across the region, gains access to a target and then unfolds a multistage attack chain, according to recent research from Cisco Talos threat intelligence researcher Joey Chen. Lotus Blossom, which has been in active operation since 2012, first issues a series of commands into Windows Management Instrumentation (WMI) to gain information related to user accounts, network configurations, process activities, and directory structures, he noted. The origin of Lotus Blossom — also known as Spring Dragon, Billbug, and Thrip — is unclear. While some researchers such as those at Symantec have referred to the actor as being China-based, Cisco Talos’ recent post stops short of attribution, only noting that the threat actor targets “areas including the Philippines, Vietnam, Hong Kong and Taiwan.”
Espionage Actor ‘Lotus Blossom’ Targets South East Asia (Alexander Culafi, Dark Reading)
Related articles
