Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Lotus Blossom
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Lotus Blossom
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Lotus Blossom

Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.(Citation: Lotus Blossom Jun 2015)(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025)
ID: G0030
Associated Groups: Raspberry Typhoon, Spring Dragon, RADIUM, Thrip, Bilbug, DRAGONFISH
Version: 4.0
Created: 31 May 2017
Last Modified: 23 Apr 2025

Associated Group Descriptions
Name Description
Raspberry Typhoon (Citation: Microsoft Threat Actor Naming July 2023)
Spring Dragon (Citation: Spring Dragon Jun 2015)(Citation: Accenture Dragonfish Jan 2018)
RADIUM (Citation: Microsoft Threat Actor Naming July 2023)
Thrip (Citation: Cisco LotusBlossom 2025)
Bilbug (Citation: Symantec Bilbug 2022)
DRAGONFISH (Citation: Accenture Dragonfish Jan 2018)

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Lotus Blossom has used commands such as `net` to profile local system users.(Citation: Cisco LotusBlossom 2025)
.002 Account Discovery: Domain Account

Lotus Blossom has used `net` commands and tools such as AdFind to profile domain accounts associated with victim machines and make Active Directory queries.(Citation: Cisco LotusBlossom 2025)(Citation: Symantec Bilbug 2022)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Lotus Blossom has used WinRAR for compressing data in RAR format.(Citation: Cisco LotusBlossom 2025)(Citation: Symantec Bilbug 2022)
.003 Archive Collected Data: Archive via Custom Method

Lotus Blossom has used custom tools to compress and archive data on victim systems.(Citation: Cisco LotusBlossom 2025)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Lotus Blossom has configured tools such as Sagerunex to run as Windows services.(Citation: Cisco LotusBlossom 2025)
Enterprise T1074 .001 Data Staged: Local Data Staging

Lotus Blossom has locally staged compressed and archived data for follow-on exfiltration.(Citation: Cisco LotusBlossom 2025)
Enterprise T1588 .002 Obtain Capabilities: Tool

Lotus Blossom has used publicly-available tools such as a Python-based cookie stealer for Chrome browsers, Impacket, and the Venom proxy tool.(Citation: Cisco LotusBlossom 2025)
Enterprise T1090 .001 Proxy: Internal Proxy

Lotus Blossom has used publicly available tools such as the Venom proxy tool to proxy traffic out of victim environments.(Citation: Cisco LotusBlossom 2025)
.003 Proxy: Multi-hop Proxy

Lotus Blossom has used tools such as the publicly available HTran tool for proxying traffic in victim environments.(Citation: Cisco LotusBlossom 2025)

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet.(Citation: Cisco LotusBlossom 2025)

Software
ID Name References Techniques
S0160 certutil (Citation: Symantec Bilbug 2022) (Citation: TechNet Certutil) Archive via Utility, Deobfuscate/Decode Files or Information, Install Root Certificate, Ingress Tool Transfer
S0082 Emissary (Citation: Emissary Trojan Feb 2016) (Citation: Lotus Blossom Dec 2015) Rundll32, Encrypted/Encoded File, Group Policy Discovery, Symmetric Cryptography, Windows Service, System Service Discovery, System Information Discovery, Binary Padding, System Network Configuration Discovery, Registry Run Keys / Startup Folder, Local Groups, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Dynamic-link Library Injection
S0357 Impacket (Citation: Cisco LotusBlossom 2025) (Citation: Impacket Tools) Windows Management Instrumentation, Security Account Manager, LSA Secrets, Network Sniffing, Ccache Files, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Lateral Tool Transfer, NTDS, Service Execution, Kerberoasting
S1211 Hannotog (Citation: Symantec Bilbug 2022) Service Stop, Windows Service, Disable or Modify System Firewall, Automated Exfiltration, Non-Standard Port, Windows Command Shell, Ingress Tool Transfer
S0081 Elise (Citation: Accenture Dragonfish Jan 2018) (Citation: BKDR_ESILE) (Citation: Lotus Blossom Jun 2015) (Citation: Page) (Citation: Spring Dragon Jun 2015) Rundll32, Standard Encoding, Encrypted/Encoded File, Local Data Staging, Match Legitimate Resource Name or Location, Symmetric Cryptography, Local Account, Windows Service, System Service Discovery, System Information Discovery, Timestomp, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, Registry Run Keys / Startup Folder, File Deletion, Web Protocols, Ingress Tool Transfer, Dynamic-link Library Injection
S1210 Sagerunex (Citation: Cisco LotusBlossom 2025) (Citation: Symantec Bilbug 2022) Archive via Utility, Encrypted/Encoded File, Local Data Staging, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, System Network Configuration Discovery, Proxy, Execution Guardrails, Process Discovery, Exfiltration Over C2 Channel, One-Way Communication, Bidirectional Communication, Asymmetric Cryptography, Access Token Manipulation, Software Packing, Web Protocols, Dynamic-link Library Injection
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Bilbug 2022) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, Network Sniffing, System Network Configuration Discovery, Remote System Discovery, Network Service Discovery
S0097 Ping (Citation: Symantec Bilbug 2022) (Citation: TechNet Ping) Remote System Discovery
S0552 AdFind (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Symantec Bilbug 2022) Domain Account, Domain Groups, System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery

References

  1. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  2. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024.
  3. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  4. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  5. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
  6. Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.