Lotus Blossom
Associated Group Descriptions |
|
Name | Description |
---|---|
DRAGONFISH | (Citation: Accenture Dragonfish Jan 2018) |
Thrip | (Citation: Cisco LotusBlossom 2025) |
RADIUM | (Citation: Microsoft Threat Actor Naming July 2023) |
Raspberry Typhoon | (Citation: Microsoft Threat Actor Naming July 2023) |
Spring Dragon | (Citation: Spring Dragon Jun 2015)(Citation: Accenture Dragonfish Jan 2018) |
Bilbug | (Citation: Symantec Bilbug 2022) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Lotus Blossom has used commands such as `net` to profile local system users.(Citation: Cisco LotusBlossom 2025) |
.002 | Account Discovery: Domain Account |
Lotus Blossom has used `net` commands and tools such as AdFind to profile domain accounts associated with victim machines and make Active Directory queries.(Citation: Cisco LotusBlossom 2025)(Citation: Symantec Bilbug 2022) |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Lotus Blossom has used WinRAR for compressing data in RAR format.(Citation: Cisco LotusBlossom 2025)(Citation: Symantec Bilbug 2022) |
.003 | Archive Collected Data: Archive via Custom Method |
Lotus Blossom has used custom tools to compress and archive data on victim systems.(Citation: Cisco LotusBlossom 2025) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Lotus Blossom has configured tools such as Sagerunex to run as Windows services.(Citation: Cisco LotusBlossom 2025) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Lotus Blossom has locally staged compressed and archived data for follow-on exfiltration.(Citation: Cisco LotusBlossom 2025) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Lotus Blossom has used publicly-available tools such as a Python-based cookie stealer for Chrome browsers, Impacket, and the Venom proxy tool.(Citation: Cisco LotusBlossom 2025) |
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Lotus Blossom has used publicly available tools such as the Venom proxy tool to proxy traffic out of victim environments.(Citation: Cisco LotusBlossom 2025) |
.003 | Proxy: Multi-hop Proxy |
Lotus Blossom has used tools such as the publicly available HTran tool for proxying traffic in victim environments.(Citation: Cisco LotusBlossom 2025) |
||
Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet.(Citation: Cisco LotusBlossom 2025) |
References
- Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024.
- Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
- Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.