The China-related cyberspy group, tracked as a Lotuspanda, was attributed to a campaign that violated several organizations in an unknown Southeast Asian country between August 2024 and February 2025.
“The targets included government ministries, air traffic control organizations, telecommunications operators and construction companies,” Symantec’s threat hunters team said in a new report shared with Hacker News. “The attack involved the use of several new custom tools, including loaders, credential steelers and reverse SSH tools.”
The intrusion set is also said to have targeted air cargo organizations in other countries in Southeast Asia and other neighboring countries.
According to Broadcom’s cybersecurity division, the threat cluster is rated as a continuation of a campaign disclosed by the company as a well-known organization in Southeast Asia since at least October 2023.
Then last month, Cisco Talos linked the Lotuspanda actor to the invasion, along with a backdoor known as Sagerunex, to invasions targeting the government, manufacturing, communications and media sectors of the Philippines, Vietnam, Hong Kong and Taiwan.
Lotus Panda (aka Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Trip) has a history of coordinating cyberattacks against governments and military organizations in Southeast Asia.
The group, considered active since at least 2009, reads it in June 2015 when Palo Alto Networks exploded backdoor dubbed Elise (AKA Trensil), due to a permanent spear phishing campaign in which threat actors exploded Microsoft’s office flaws (CVE-2012-0158).
A subsequent attack, attached by the group, Microsoft’s Windows Ole flaw (CVE-2014-6332) weaponized the weapon via Booby-confined attachments sent in a spear phishing email, then worked for the French Ministry of Foreign Affairs in Taiwan to deploy another Trojan horse associated with Elise Codenamed Emissary.
In the latest wave of attacks discovered by Symantec, attackers leverage legitimate executables from Trend Micro (“TMDBGlog.exe”) and BitDefender (“Bds.exe”) to work to revive the loader, revive the loader, and launch the next stepped wages embedded within the stored file.
The exact nature of the file is unknown, but the BitDefender binaries are also used to sideload another DLL. Another unknown aspect of the campaign is the initial access vector used to reach the entity in question.
This attack paved the way for an updated version of Sagerunex, a tool used only by Lotus Panda. It has the ability to collect host information on targets, encrypt it, and remove details from external servers under attacker control.
Also deployed in the attack are the reverse SSH tool and two-qualified steelers, Chromekatz and CredentyKatz, which are equipped to smoke passwords and cookies stored in the Google Chrome web browser.
“The attacker deployed the publicly available Zrok Peer-to-Peer tool to provide remote access to internally exposed services using the tool’s sharing functions,” Symantec said. “Another legitimate tool used was called “DateChanger.exe.” Perhaps you can change the timestamp of the file to muddy the water for incident analysts.
Source link
