Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

Langchain is about to become a unicorn, sources say

Glock is anti-Semitism again, and the sky is blue

Genai as a shopping assistant set that explodes during Prime Day sales

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » China’s APT LOTUS PANDA targets government with new Sagerunex backdoor variations
Identity

China’s APT LOTUS PANDA targets government with new Sagerunex backdoor variations

userBy userMarch 5, 2025No Comments3 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

March 5, 2025Ravi LakshmananCyberspy/Network Security

Chinese apt lotus panda

The threat actor known as the Lotuspanda has been observed to target the government, manufacturing, telecommunications and media sectors of the Philippines, Vietnam, Hong Kong and Taiwan.

“Lotus Blossom has been using Sagerunex backdoors since at least 2016, increasingly adopting a long-term sustainable command shell and developing new variants of the Sagerunex malware suite,” Cisco Talos researcher Joey Chen said in an analysis published last week.

Also known as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon and Trip, Lotus Panda is suspected of being a Chinese hacking crew that has been active since at least 2009. The threat actor was first exposed by Symantec in June 2018.

Cybersecurity

In late 2022, Symantec, owned by Broadcom, detailed attacks by threat actors against digital certificate authorities and governments and defense agencies in various countries in Asia, including the use of backgrounds such as Hannotog and Sagerunex.

The exact initial access vectors used to violate the entities of the latest intrusion set are unknown, but they have a history of carrying out spear fishing and watering holes attacks. An unspecified attack pathway serves as a conduit for the Sagerunex implant. This is considered an evolution of the old Bilbag malware known as Evora.

This activity is worth noting that it uses two new “beta” variants of malware to avoid detection by leveraging legitimate services such as Dropbox, X, and Zimbra using legal services such as Command and Control (C2) tunnels. They are what you call the things because there is a debug string in the source code.

Chinese apt lotus panda

The backdoor is designed to collect, encrypt, and remove details to remote servers under attacker control. The Dropbox and X versions of Sagerunex are believed to have been in use between 2018 and 2022, but the Zimbra version is said to have been around since 2019.

“The Zimbra webmail version of Sagerunex is not only designed to collect victim information and send it to a Zimbra mailbox, but it is also designed to allow actors to use Zimbra mailing content to give orders and control the victim machine,” Chen said.

“If your mailbox has legitimate command order content, the backdoor downloads the content and extracts the command. Otherwise, the backdoor will delete the content and wait for the legitimate command.”

The results of the command execution are then packaged in the form of RAR archives and attached to the draft folder in the mailbox and the draft email in the trash can.

Cybersecurity

Also deployed in the attack are Cookie Stealer, which harvests Chrome browser credentials, an open source proxy utility named Venom, a program that tunes privileges, and other tools such as bespoke software to compress and encrypt captured data.

Additionally, it has been observed that threat actors perform reconnaissance of the target environment in addition to running commands such as Net, Task List, IPConfig, NetStat and other to perform checks to verify internet access.

“If internet access is restricted, actors have two strategies: establish a connection using the target’s proxy settings, or use the Venom proxy tool to link the isolated machine to an Internet-accessible system,” Talos said.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleIdentity: A New Battlefield of Cybersecurity
Next Article Cold atoms open up new possibilities for quantum experiments
user
  • Website

Related Posts

Hackers use leaked shelter tool licenses to spread Lumma Stealer and Sectoprat malware

July 8, 2025

Anatsa Android Banking Trojan hits 90,000 users with fake PDF apps on Google Play

July 8, 2025

Malicious Pull Request Targets Over 6,000 Developers Target via Vulnerable Escode vs Code Extensions

July 8, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Langchain is about to become a unicorn, sources say

Glock is anti-Semitism again, and the sky is blue

Genai as a shopping assistant set that explodes during Prime Day sales

After PC player was hacked, Activision defeated the Call of Duty game, sources say

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

Robots Play Football in Beijing: A Glimpse into China’s Ambitious AI Future

TwinH: A New Frontier in the Pursuit of Immortality?

Meta’s Secret Weapon: The Superintelligence Unit That Could Change Everything 

Unlocking the Power of Prediction: The Rise of Digital Twins in the IoT World

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.